Chinaunix首页 | 论坛 | 博客
  • 博客访问: 918211
  • 博文数量: 132
  • 博客积分: 9976
  • 博客等级: 中将
  • 技术积分: 1781
  • 用 户 组: 普通用户
  • 注册时间: 2007-08-30 20:40
文章分类

全部博文(132)

文章存档

2013年(1)

2011年(1)

2010年(15)

2009年(77)

2008年(36)

2007年(2)

我的朋友

分类: C/C++

2008-03-11 12:00:54

函数syslog的问题

今天我发现我写的一个程序 在执行到syslog函数时停止了, 不清楚为何。 所以在网上查了些资料:


==========================================

RFC 3164 (RFC3164)

Internet RFC/STD/FYI/BCP Archives

[ | | | | Documents | ]

Alternate Formats: |

RFC 3164 - The BSD Syslog Protocol


Network Working Group                                         C. Lonvick
Request for Comments: 3164 Cisco Systems
Category: Informational August 2001

The BSD syslog Protocol

Status of this Memo

This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (2001). All Rights Reserved.

Abstract

This document describes the observed behavior of the syslog protocol.
This protocol has been used for the transmission of event
notification messages across networks for many years. While this
protocol was originally developed on the University of California
Berkeley Software Distribution (BSD) TCP/IP system implementations,
its value to operations and management has led it to be ported to
many other operating systems as well as being embedded into many
other networked devices.

Table of Contents

1. Introduction....................................................2
1.1 Events and Generated Messages..................................3
1.2 Operations of the Message Receivers............................5
2. Transport Layer Protocol........................................5
3. Definitions and Architecture....................................5
4. Packet Format and Contents......................................7
4.1 syslog Message Parts...........................................8
4.1.1 PRI Part.....................................................8
4.1.2 HEADER Part of a syslog Packet..............................10
4.1.3 MSG Part of a syslog Packet.................................11
4.2 Original syslog Packets Generated by a Device.................12
4.3 Relayed syslog Packets........................................12
4.3.1 Valid PRI and TIMESTAMP.....................................13
4.3.2 Valid PRI but no TIMESTAMP or invalid TIMESTAMP.............13
4.3.3 No PRI or Unidentifiable PRI................................14
5. Conventions....................................................14
5.1 Dates and Times...............................................15
5.2 Domain Name and Address.......................................15

5.3 Originating Process Information...............................15
5.4 Examples......................................................16
6. Security Considerations........................................18
6.1 Packet Parameters.............................................19
6.2 Message Authenticity..........................................19
6.2.1 Authentication Problems.....................................19
6.2.2 Message Forgery.............................................20
6.3 Sequenced Delivery............................................20
6.3.1 Single Source to a Destination..............................20
6.3.2 Multiple Sources to a Destination...........................21
6.3.3 Multiple Sources to Multiple Destinations...................21
6.3.4 Replaying...................................................22
6.4 Reliable Delivery.............................................22
6.5 Message Integrity.............................................22
6.6 Message Observation...........................................22
6.7 Message Prioritization and Differentiation....................23
6.8 Misconfiguration..............................................24
6.9 Forwarding Loop...............................................24
6.10 Load Considerations..........................................25
7. IANA Considerations............................................25
8. Conclusion and Other Efforts...................................25
Acknowledgements..................................................26
References........................................................27
Author's Address..................................................28
Full Copyright Statement..........................................29

1. Introduction

Since the beginning, life has relied upon the transmission of
messages. For the self-aware organic unit, these messages can relay
many different things. The messages may signal danger, the presence
of food or the other necessities of life, and many other things. In
many cases, these messages are informative to other units and require
no acknowledgement. As people interacted and created processes, this
same principle was applied to societal communications. As an
example, severe weather warnings may be delivered through any number
of channels - a siren blowing, warnings delivered over television and
radio stations, and even through the use of flags on ships. The
expectation is that people hearing or seeing these warnings would
realize their significance and take appropriate action. In most
cases, no responding acknowledgement of receipt of the warning is
required or even desired. Along these same lines, operating systems,
processes and applications were written to send messages of their own
status, or messages to indicate that certain events had occurred.
These event messages generally had local significance to the machine
operators. As the operating systems, processes and applications grew
ever more complex, systems were devised to categorize and log these
diverse messages and allow the operations staff to more quickly

differentiate the notifications of problems from simple status
messages. The syslog process was one such system that has been
widely accepted in many operating systems. Flexibility was designed
into this process so the operations staff have the ability to
configure the destination of messages sent from the processes running
on the device. In one dimension, the events that were received by
the syslog process could be logged to different files and also
displayed on the console of the device. In another dimension, the
syslog process could be configured to forward the messages across a
network to the syslog process on another machine. The syslog process
had to be built network-aware for some modicum of scalability since
it was known that the operators of multiple systems would not have
the time to access each system to review the messages logged there.
The syslog process running on the remote devices could therefore be
configured to either add the message to a file, or to subsequently
forward it to another machine.

In its most simplistic terms, the syslog protocol provides a
transport to allow a machine to send event notification messages
across IP networks to event message collectors - also known as syslog
servers. Since each process, application and operating system was
written somewhat independently, there is little uniformity to the
content of syslog messages. For this reason, no assumption is made
upon the formatting or contents of the messages. The protocol is
simply designed to transport these event messages. In all cases,
there is one device that originates the message. The syslog process
on that machine may send the message to a collector. No
acknowledgement of the receipt is made.

One of the fundamental tenets of the syslog protocol and process is
its simplicity. No stringent coordination is required between the
transmitters and the receivers. Indeed, the transmission of syslog
messages may be started on a device without a receiver being
configured, or even actually physically present. Conversely, many
devices will most likely be able to receive messages without explicit
configuration or definitions. This simplicity has greatly aided the
acceptance and deployment of syslog.

1.1 Events and Generated Messages

The writers of the operating systems, processes and applications have
had total control over the circumstances that would generate any
message. In some cases, messages are generated to give status. These
can be either at a certain period of time, or at some other interval
such as the invocation or exit of a program. In other cases, the
messages may be generated due to a set of conditions being met. In
those cases, either a status message or a message containing an alarm
of some type may be generated. It was considered that the writers of

the operating systems, processes and applications would quantify
their messages into one of several broad categories. These broad
categories generally consist of the facility that generated them,
along with an indication of the severity of the message. This was so
that the operations staff could selectively filter the messages and
be presented with the more important and time sensitive notifications
quickly, while also having the ability to place status or informative
messages in a file for later perusal. Other options for displaying
or storing messages have been seen to exist as well.

Devices MUST be configured with rules for displaying and/or
forwarding the event messages. The rules that have been seen are
generally very flexible. An administrator may want to have all
messages stored locally as well as to have all messages of a high
severity forwarded to another device. They may find it appropriate
to also have messages from a particular facility sent to some or all
of the users of the device and displayed on the system console.
However the administrator decides to configure the disposition of the
event messages, the process of having them sent to a syslog collector
generally consists of deciding which facility messages and which
severity levels will be forwarded, and then defining the remote
receiver. For example, an administrator may want all messages that
are generated by the mail facility to be forwarded to one particular
event message collector. Then the administrator may want to have all
kernel generated messages sent to a different syslog receiver while,
at the same time, having the critically severe messages from the
kernel also sent to a third receiver. It may also be appropriate to
have those messages displayed on the system console as well as being
mailed to some appropriate people, while at the same time, being sent
to a file on the local disk of the device. Conversely, it may be
appropriate to have messages from a locally defined process only
displayed on the console but not saved or forwarded from the device.
In any event, the rules for this will have to be generated on the
device. Since the administrators will then know which types of
messages will be received on the collectors, they should then make
appropriate rules on those syslog servers as well.

The contents of a message have also been at the discretion of its
creator. It has been considered to be good form to write the
messages so that they are informative to the person who may be
reading them. It has also been considered good practice to include a
timestamp and some indication of the sending device and the process
that originated it in the messages. However, none of those are
stringently required.

It should be assumed that any process on any device might generate an
event message. This may include processes on machines that do not
have any local storage - e.g., printers, routers, hubs, switches, and

diskless workstations. In that case, it may be imperative that event
messages are transported to a collector so that they may be recorded
and hopefully viewed by an operator.

1.2 Operations of the Message Receivers

It is beyond the scope of this document to specify how event messages
should be processed when they are received. Like the operations
described in Section 1.1, they generally may be displayed to the
appropriate people, saved onto disk, further forwarded, or any
combination of these. The rules for determining the disposition of
received messages have been seen to be identical to the rules for
determining the disposition of locally generated messages.

As a very general rule, there are usually many devices sending
messages to relatively fewer collectors. This fan-in process allows
an administrator to aggregate messages into relatively few
repositories.

2. Transport Layer Protocol

syslog uses the user datagram protocol (UDP) [1] as its underlying
transport layer mechanism. The UDP port that has been assigned to
syslog is 514. It is RECOMMENDED that the source port also be 514 to
indicate that the message is from the syslog process of the sender,
but there have been cases seen where valid syslog messages have come
from a sender with a source port other than 514. If the sender uses
a source port other than 514 then it is RECOMMENDED and has been
considered to be good form that subsequent messages are from a single
consistent port.

3. Definitions and Architecture

The following definitions will be used in this document.

A machine that can generate a message will be called a
"device".

A machine that can receive the message and forward it to
another machine will be called a "relay".

A machine that receives the message and does not relay it to
any other machines will be called a "collector". This has been
commonly known as a "syslog server".

Any device or relay will be known as the "sender" when it sends
a message.

Any relay or collector will be known as the "receiver" when it
receives the message.

The architecture of the devices may be summarized as follows:

Senders send messages to relays or collectors with no knowledge
of whether it is a collector or relay.

Senders may be configured to send the same message to multiple
receivers.

Relays may send all or some of the messages that they receive
to a subsequent relay or collector. In the case where they do
not forward all of their messages, they are acting as both a
collector and a relay. In the following diagram, these devices
will be designated as relays.

Relays may also generate their own messages and send them on to
subsequent relays or collectors. In that case it is acting as
a device. These devices will also be designated as a relay in
the following diagram.

The following architectures shown in Diagram 1 are valid while the
first one has been known to be the most prevalent. Other
arrangements of these examples are also acceptable. As noted above,
in the following diagram relays may pass along all or some of the
messages that they receive along with passing along messages that
they internally generate.

+------+ +---------+
|Device|---->----|Collector|
+------+ +---------+

+------+ +-----+ +---------+
|Device|---->----|Relay|---->----|Collector|
+------+ +-----+ +---------+

+------+ +-----+ +-----+ +---------+
|Device|-->--|Relay|-->--..-->--|Relay|-->--|Collector|
+------+ +-----+ +-----+ +---------+

+------+ +-----+ +---------+
|Device|---->----|Relay|---->----|Collector|
| |-\ +-----+ +---------+
+------+ \
\ +-----+ +---------+
\-->--|Relay|---->----|Collector|
+-----+ +---------+

+------+ +---------+
|Device|---->----|Collector|
| |-\ +---------+
+------+ \
\ +-----+ +---------+
\-->--|Relay|---->----|Collector|
+-----+ +---------+

+------+ +-----+ +---------+
|Device|---->----|Relay|---->-------|Collector|
| |-\ +-----+ /--| |
+------+ \ / +---------+
\ +-----+ /
\-->--|Relay|-->--/
+-----+

Diagram 1. Some Possible syslog Architectures

4. Packet Format and Contents

The payload of any IP packet that has a UDP destination port of 514
MUST be treated as a syslog message. There MAY be differences
between the format of an originally transmitted syslog message and
the format of a relayed message. In essence, it is RECOMMENDED to
transmit a syslog message in the format specified in this document,
but it is not required. If a relay is able to recognize the message
as adhering to that format then it MUST retransmit the message
without making any changes to it. However, if a relay receives a

message but cannot discern the proper implementation of the format,
it is REQUIRED to modify the message so that it conforms to that
format before it retransmits it. Section 4.1 will describe the
RECOMMENDED format for syslog messages. Section 4.2 will describe
the requirements for originally transmitted messages and Section 4.3
will describe the requirements for relayed messages.

4.1 syslog Message Parts

The full format of a syslog message seen on the wire has three
discernable parts. The first part is called the PRI, the second part
is the HEADER, and the third part is the MSG. The total length of
the packet MUST be 1024 bytes or less. There is no minimum length of
the syslog message although sending a syslog packet with no contents
is worthless and SHOULD NOT be transmitted.

4.1.1 PRI Part

The PRI part MUST have three, four, or five characters and will be
bound with angle brackets as the first and last characters. The PRI
part starts with a leading "<" ('less-than' character), followed by a
number, which is followed by a ">" ('greater-than' character). The
code set used in this part MUST be seven-bit ASCII in an eight-bit
field as described in [2]. These are the ASCII codes as
defined in "USA Standard Code for Information Interchange" [3]. In
this, the "<" character is defined as the Augmented Backus-Naur Form
(ABNF) %d60, and the ">" character has ABNF value %d62. The number
contained within these angle brackets is known as the Priority value
and represents both the Facility and Severity as described below.
The Priority value consists of one, two, or three decimal integers
(ABNF DIGITS) using values of %d48 (for "0") through %d57 (for "9").

The Facilities and Severities of the messages are numerically coded
with decimal values. Some of the operating system daemons and
processes have been assigned Facility values. Processes and daemons
that have not been explicitly assigned a Facility may use any of the
"local use" facilities or they may use the "user-level" Facility.
Those Facilities that have been designated are shown in the following
table along with their numerical code values.

Numerical Facility
Code

0 kernel messages
1 user-level messages
2 mail system
3 system daemons
4 security/authorization messages (note 1)

5 messages generated internally by syslogd
6 line printer subsystem
7 network news subsystem
8 UUCP subsystem
9 clock daemon (note 2)
10 security/authorization messages (note 1)
11 FTP daemon
12 NTP subsystem
13 log audit (note 1)
14 log alert (note 1)
15 clock daemon (note 2)
16 local use 0 (local0)
17 local use 1 (local1)
18 local use 2 (local2)
19 local use 3 (local3)
20 local use 4 (local4)
21 local use 5 (local5)
22 local use 6 (local6)
23 local use 7 (local7)

Table 1. syslog Message Facilities

Note 1 - Various operating systems have been found to utilize
Facilities 4, 10, 13 and 14 for security/authorization,
audit, and alert messages which seem to be similar.
Note 2 - Various operating systems have been found to utilize
both Facilities 9 and 15 for clock (cron/at) messages.

Each message Priority also has a decimal Severity level indicator.
These are described in the following table along with their numerical
values.

Numerical Severity
Code

0 Emergency: system is unusable
1 Alert: action must be taken immediately
2 Critical: critical conditions
3 Error: error conditions
4 Warning: warning conditions
5 Notice: normal but significant condition
6 Informational: informational messages
7 Debug: debug-level messages

Table 2. syslog Message Severities

The Priority value is calculated by first multiplying the Facility
number by 8 and then adding the numerical value of the Severity. For
example, a kernel message (Facility=0) with a Severity of Emergency
(Severity=0) would have a Priority value of 0. Also, a "local use 4"
message (Facility=20) with a Severity of Notice (Severity=5) would
have a Priority value of 165. In the PRI part of a syslog message,
these values would be placed between the angle brackets as <0> and
<165> respectively. The only time a value of "0" will follow the "<"
is for the Priority value of "0". Otherwise, leading "0"s MUST NOT be
used.

4.1.2 HEADER Part of a syslog Packet

The HEADER part contains a timestamp and an indication of the
hostname or IP address of the device. The HEADER part of the syslog
packet MUST contain visible (printing) characters. The code set used
MUST also be seven-bit ASCII in an eight-bit field like that used in
the PRI part. In this code set, the only allowable characters are
the ABNF VCHAR values (%d33-126) and spaces (SP value %d32).

The HEADER contains two fields called the TIMESTAMP and the HOSTNAME.
The TIMESTAMP will immediately follow the trailing ">" from the PRI
part and single space characters MUST follow each of the TIMESTAMP
and HOSTNAME fields. HOSTNAME will contain the hostname, as it knows
itself. If it does not have a hostname, then it will contain its own
IP address. If a device has multiple IP addresses, it has usually
been seen to use the IP address from which the message is
transmitted. An alternative to this behavior has also been seen. In
that case, a device may be configured to send all messages using a
single source IP address regardless of the interface from which the
message is sent. This will provide a single consistent HOSTNAME for
all messages sent from a device.

The TIMESTAMP field is the local time and is in the format of "Mmm dd
hh:mm:ss" (without the quote marks) where:

Mmm is the English language abbreviation for the month of the
year with the first character in uppercase and the other two
characters in lowercase. The following are the only acceptable
values:

Jan, Feb, Mar, Apr, May, Jun, Jul, Aug, Sep, Oct, Nov, Dec

dd is the day of the month. If the day of the month is less
than 10, then it MUST be represented as a space and then the
number. For example, the 7th day of August would be
represented as "Aug 7", with two spaces between the "g" and
the "7".

hh:mm:ss is the local time. The hour (hh) is represented in a
24-hour format. Valid entries are between 00 and 23,
inclusive. The minute (mm) and second (ss) entries are between
00 and 59 inclusive.

A single space character MUST follow the TIMESTAMP field.

The HOSTNAME field will contain only the hostname, the IPv4 address,
or the IPv6 address of the originator of the message. The preferred
value is the hostname. If the hostname is used, the HOSTNAME field
MUST contain the hostname of the device as specified in STD 13 [4].
It should be noted that this MUST NOT contain any embedded spaces.
The Domain Name MUST NOT be included in the HOSTNAME field. If the
IPv4 address is used, it MUST be shown as the dotted decimal notation
as used in STD 13 [5]. If an IPv6 address is used, any valid
representation used in [6] MAY be used. A single space
character MUST also follow the HOSTNAME field.

4.1.3 MSG Part of a syslog Packet

The MSG part will fill the remainder of the syslog packet. This will
usually contain some additional information of the process that
generated the message, and then the text of the message. There is no
ending delimiter to this part. The MSG part of the syslog packet
MUST contain visible (printing) characters. The code set
traditionally and most often used has also been seven-bit ASCII in an
eight-bit field like that used in the PRI and HEADER parts. In this
code set, the only allowable characters are the ABNF VCHAR values
(%d33-126) and spaces (SP value %d32). However, no indication of the
code set used within the MSG is required, nor is it expected. Other
code sets MAY be used as long as the characters used in the MSG are
exclusively visible characters and spaces similar to those described
above. The selection of a code set used in the MSG part SHOULD be
made with thoughts of the intended receiver. A message containing
characters in a code set that cannot be viewed or understood by a
recipient will yield no information of value to an operator or
administrator looking at it.

The MSG part has two fields known as the TAG field and the CONTENT
field. The value in the TAG field will be the name of the program or
process that generated the message. The CONTENT contains the details
of the message. This has traditionally been a freeform message that
gives some detailed information of the event. The TAG is a string of
ABNF alphanumeric characters that MUST NOT exceed 32 characters. Any
non-alphanumeric character will terminate the TAG field and will be
assumed to be the starting character of the CONTENT field. Most
commonly, the first character of the CONTENT field that signifies the

conclusion of the TAG field has been seen to be the left square
bracket character ("["), a colon character (":"), or a space
character. This is explained in more detail in Section 5.3.

4.2 Original syslog Packets Generated by a Device

There are no set requirements on the contents of the syslog packet as
it is originally sent from a device. It should be reiterated here
that the payload of any IP packet destined to UDP port 514 MUST be
considered to be a valid syslog message. It is, however, RECOMMENDED
that the syslog packet have all of the parts described in Section 4.1
- PRI, HEADER and MSG - as this enhances readability by the recipient
and eliminates the need for a relay to modify the message.

For implementers that do choose to construct syslog messages with the
RECOMMENDED format, the following guidance is offered.

If the originally formed message has a TIMESTAMP in the HEADER
part, then it SHOULD be the local time of the device within its
timezone.

If the originally formed message has a HOSTNAME field, then it
will contain the hostname as it knows itself. If it does not
have a hostname, then it will contain its own IP address.

If the originally formed message has a TAG value, then that
will be the name of the program or process that generated the
message.

4.3 Relayed syslog Packets

When a relay receives a packet, it will check for a valid PRI. If
the first character is not a less-than sign, the relay MUST assume
that the packet does not contain a valid PRI. If the 3rd, 4th, or
5th character is not a right angle bracket character, the relay again
MUST assume that the PRI was not included in the original message.
If the relay does find a valid PRI part then it must check for a
valid TIMESTAMP in the HEADER part. From these rules, there will be
three general cases of received messages. Table 3 gives the general
characteristics of these cases and lists the subsequent section of
this document that describes the handling of that case.

Case Section
Valid PRI and TIMESTAMP 4.3.1
Valid PRI but no TIMESTAMP or invalid TIMESTAMP 4.3.2
No PRI or unidentifiable PRI 4.3.3

Table 3. Cases of Received syslog Messages

4.3.1 Valid PRI and TIMESTAMP

If the relay does find a valid PRI and a valid TIMESTAMP, then it
will check its internal configuration. Relays MUST be configured to
forward syslog packets on the basis of their Priority value. If the
relay finds that it is configured to forward the received packet,
then it MUST do so without making any changes to the packet. To
emphasize the point one more time, it is for this reason that it is
RECOMMENDED that the syslog message originally transmitted adhere to
the format described in Section 4.1.

It should be noted here that the message receiver does not need to
validate the time in the TIMESTAMP field. The assumption may be made
that a device whose date has not been correctly set will still have
the ability to send valid syslog messages. Additionally, the relay
does not need to validate that the value in the HOSTNAME field
matches the hostname or IP address of the device sending the message.
A reason for this behavior may be found in Section 4.1.2.

4.3.2 Valid PRI but no TIMESTAMP or invalid TIMESTAMP

If a relay does not find a valid TIMESTAMP in a received syslog
packet, then it MUST add a TIMESTAMP and a space character
immediately after the closing angle bracket of the PRI part. It
SHOULD additionally add a HOSTNAME and a space character after the
TIMESTAMP. These fields are described here and detailed in Section
4.1.2. The remainder of the received packet MUST be treated as the
CONTENT field of the MSG and appended. Since the relay would have no
way to determine the originating process from the device that
originated the message, the TAG value cannot be determined and will
not be included.

The TIMESTAMP will be the current local time of the relay.

The HOSTNAME will be the name of the device, as it is known by the
relay. If the name cannot be determined, the IP address of the
device will be used.

If the relay adds a TIMESTAMP, or a TIMESTAMP and HOSTNAME, after the
PRI part, then it MUST check that the total length of the packet is
still 1024 bytes or less. If the packet has been expanded beyond
1024 bytes, then the relay MUST truncate the packet to be 1024 bytes.
This may cause the loss of vital information from the end of the
original packet. It is for this reason that it is RECOMMENDED that
the PRI and HEADER parts of originally generated syslog packets
contain the values and fields documented in Section 4.1.

4.3.3 No PRI or Unidentifiable PRI

If the relay receives a syslog message without a PRI, or with an
unidentifiable PRI, then it MUST insert a PRI with a Priority value
of 13 as well as a TIMESTAMP as described in Section 4.3.2. The
relay SHOULD also insert a HOSTNAME as described in Section 4.3.2.
The entire contents of the received packet will be treated as the
CONTENT of the relayed MSG and appended.

An example of an unidentifiable PRI would be "<00>", without the
double quotes. It may be that these are the first 4 characters of
the message. To continue this example, if a relay does receive a
syslog message with the first four characters of "<00>", then it will
consult its configuration. If it is configured to forward syslog
messages with a Priority value of 13 to another relay or collector,
then it MUST modify the packet as described above. The specifics of
doing this, including the RECOMMENDED insertion of the HOSTNAME, are
given below.

Originally received message
<00>...
Relayed message
<13>TIMESTAMP HOSTNAME <00>...

If the relay adds a TIMESTAMP, or a TIMESTAMP and HOSTNAME, after the
PRI part, then it MUST check that the total length of the packet is
still 1024 bytes or less. If the packet has been expanded beyond
1024 bytes, then the relay MUST truncate the packet to be 1024 bytes.
This may cause the loss of vital information from the end of the
original packet. It is for this reason that it is RECOMMENDED that
the PRI and HEADER parts of originally generated syslog packets
contain the values and fields documented in Section 4.1.

5. Conventions

Although Section 4 of this document specifies all requirements for
the syslog protocol format and contents, certain conventions have
come about over time for the inclusion of additional information
within the syslog message. It must be plainly stated that these
items are not mandated but may be considered by implementers for
completeness and to give the recipient some additional clues of their
origin and nature.

5.1 Dates and Times

It has been found that some network administrators like to archive
their syslog messages over long periods of time. It has been seen
that some original syslog messages contain a more explicit time stamp
in which a 2 character or 4 character year field immediately follows
the space terminating the TIMESTAMP. This is not consistent with the
original intent of the order and format of the fields. If
implementers wish to contain a more specific date and time stamp
within the transmitted message, it should be within the CONTENT
field. Implementers may wish to utilize the ISO 8601 [7] date and
time formats if they want to include more explicit date and time
information.

Additional methods to address this desire for long-term archiving
have been proposed and some have been successfully implemented. One
such method is that the network administrators may choose to modify
the messages stored on their collectors. They may run a simple
script to add the year, and any other information, to each stored
record. Alternatively, the script may replace the stored time with a
format more appropriate for the needs of the network administrators.
Another alternative has been to insert a record into the file that
contains the current year. By association then, all other records
near that informative record should have been received in that same
year. Neither of these however, addresses the issue of associating a
correct timezone with each record.

5.2 Domain Name and Address

To readily identify the device that originated the message, it may be
a good practice to include its fully qualified domain name (FQDN) and
its IP address within the CONTENT field. Traditionally, however,
only the hostname has been included in the HOSTNAME field.

5.3 Originating Process Information

It has also been considered to be a good practice to include some
information about the process on the device that generated the
message - if that concept exists. This is usually the process name
and process id (often known as the "pid") for robust operating
systems. The process name is commonly displayed in the TAG field.
Quite often, additional information is included at the beginning of
the CONTENT field. The format of "TAG[pid]:" - without the quote
marks - is common. The left square bracket is used to terminate the
TAG field in this case and is then the first character in the CONTENT
field. If the process id is immaterial, it may be left off.

In that case, a colon and a space character usually follow the TAG.
This would be displayed as "TAG: " without the quotes. In that case,
the colon is the first character in the CONTENT field.

5.4 Examples

As examples, these are valid messages as they may be observed on the
wire between two devices. In the following examples, each message
has been indented, with line breaks inserted in this document for
readability.

Example 1

<34>Oct 11 22:14:15 mymachine su: 'su root' failed for lonvick
on /dev/pts/8

This example shows an authentication error in an attempt to acquire
additional privileges. It also shows the command attempted and the
user attempting it. This was recorded as an original message from
the device called mymachine. A relay receiving this would not make
any changes before sending it along as it contains a properly
formatted PRI part and TIMESTAMP field in the HEADER part. The TAG
value in this example is the process "su". The colon has terminated
the TAG field and is the first character of the CONTENT field. In
this case, the process id (pid) would be considered transient and
anyone looking at this syslog message would gain no useful
information from knowing the pid. It has not been included so the
first two characters of the CONTENT field are the colon and a space
character.

Example 2

Use the BFG!

While this is a valid message, it has extraordinarily little useful
information. This message does not have any discernable PRI part. It
does not contain a timestamp or any indication of the source of the
message. If this message is stored on paper or disk, subsequent
review of the message will not yield anything of value.

This example is obviously an original message from a device. A relay
MUST make changes to the message as described in Section 4.3 before
forwarding it. The resulting relayed message is shown below.

<13>Feb 5 17:32:18 10.0.0.99 Use the BFG!

In this relayed message, the entire message has been treated as the
CONTENT portion of the MSG part. First, a valid PRI part has been
added using the default priority value of 13. Next, a TIMESTAMP has
been added along with a HOSTNAME in the HEADER part. Subsequent
relays will not make any further changes to this message. It should
be noted in this example that the day of the month is less than 10.
Since single digits in the date (5 in this case) are preceded by a
space in the TIMESTAMP format, there are two spaces following the
month in the TIMESTAMP before the day of the month. Also, the relay
appears to have no knowledge of the host name of the device sending
the message so it has inserted the IPv4 address of the device into
the HOSTNAME field.

Example 3

<165>Aug 24 05:34:00 CST 1987 mymachine myproc[10]: %% It's
time to make the do-nuts. %% Ingredients: Mix=OK, Jelly=OK #
Devices: Mixer=OK, Jelly_Injector=OK, Frier=OK # Transport:
Conveyer1=OK, Conveyer2=OK # %%

This message does have a valid PRI part with a Priority value
indicating that it came from a locally defined facility (local4) with
a severity of Notice. The HEADER part has a proper TIMESTAMP field
in the message. A relay will not modify this message before sending
it. However, the HOSTNAME and TAG fields are not consistent with the
definitions in Section 4. The HOSTNAME field would be construed to
be "CST" and the beginning of the MSG part would be "1987".

It should be noted that the information contained in the CONTENT of
this example is not telemetry data, nor is it supervisory control or
data acquisition information. Due to the security concerns listed in
Section 6 of this document, information of that nature should
probably not be conveyed across this protocol.

Example 4

<0>1990 Oct 22 10:52:01 TZ-6 scapegoat.dmz.example.org 10.1.2.3
sched[0]: That's All Folks!

This example has a lot of extraneous information throughout. A human
or sufficiently adaptable automated parser would be able to determine
the date and time information as well as a fully qualified domain
name (FQDN) [4] and IP address. The information about the nature of
the event is, however, limited. Due to the indicated severity of the
event, the process may not have been able to gather or send anything
more informative. It may have been fortunate to have generated and
sent this message at all.

This example is obviously an original message from a device. Since
the first field in the HEADER part is not a TIMESTAMP in the format
defined in Section 4.1.2, it MUST be modified by a relay. A relay
will add a TIMESTAMP and SHOULD add a HOSTNAME as follows and will
treat the entire received packet after the PRI part from the original
packet as the CONTENT field of the new packet. The value used in the
HOSTNAME field is only the hostname without the domain name as it is
known by the relay. A TAG value will not be added to the relayed
packet. While the inclusion of the domain name and IPv4 address in
the original message is a noble endeavor, it is not consistent with
the use of the field as described in Section 4.1.2.

<0>Oct 22 10:52:12 scapegoat 1990 Oct 22 10:52:01 TZ-6
scapegoat.dmz.example.org 10.1.2.3 sched[0]: That's All Folks!

6. Security Considerations

An odor may be considered to be a message that does not require any
acknowledgement. People tend to avoid bad odors but are drawn to
odors that they associate with good food. The acknowledgement of the
receipt of the odor or scent is not required and indeed it may be the
height of discretion to totally ignore some odors. On the other
hand, it is usually considered good civility to acknowledge the
prowess of the cook merely from the ambiance wafting from the
kitchen. Similarly, various species have been found to utilize odors
to attract mates. One species of moth uses this scent to find each
other. However, it has been found that bolas spiders can mimic the
odor of the female moths of this species. This scent will then
attract male moths, which will follow it with the expectation of
finding a mate. Instead, when they arrive at the source of the
scent, they will be eaten [8]. This is a case of a false message
being sent out with inimical intent.

In its local use, the syslog process places event notification
messages into files on that system. This relies upon the integrity
of the system for the protection of the messages. The subsequent
configuration of the syslog process to use the syslog protocol to
transport the messages to a remote collector was an extension of the
delivery of event notification messages and it exhibits the same
trust of the network. There are several security consequences of the
fundamental simplicity of syslog and there are some concerns about
the applicability of this protocol in situations that require robust
delivery. Along the lines of the analogy, computer event messages
may be sent accidentally, erroneously and even maliciously. At the
time of this writing, however, there have not been any reports of any
networked device consuming any other device.

6.1 Packet Parameters

As was described above, the message length MUST NOT exceed 1024
bytes. Attacks have seen where syslog messages are sent to a
receiver that have message lengths greater than 1024 bytes. In some
older versions of syslog, the receipt of syslog packets that had a
message greater than 1024 bytes caused problems. syslog message
receivers must not malfunction upon the receipt of packets where the
message length is greater than 1024 bytes. Various behaviors have
been seen on receivers that do receive messages greater than 1024
bytes. Some have been seen to log the entire contents of the
message, while others have been seen to log only portions of the
message. Still others have been known to discard the message
altogether. Devices MUST NOT retransmit messages whose received
length exceeds 1024 bytes.

Similarly, the receiver must rigidly enforce the correctness of the
message body. syslog collectors must not malfunction if received
messages do not have the less-than and greater-than characters around
a valid Priority value. They MUST treat these messages as the
unformatted CONTENT as was described in Section 4.3.3 if they relay
it.

Also, received messages must contain printable text in the message as
was described throughout Section 4. Devices must not malfunction if
they receive a message containing characters other than the
characters described above.

6.2 Message Authenticity

The syslog delivery mechanism does not strongly associate the message
with the message sender. The receiver of that packet will not be
able to ascertain that the message was indeed sent from the reported
sender, or if the packet was sent from another device. It should be
noted here that the message receiver does not need to verify that the
HOSTNAME in the HEADER part match the name of the IP address
contained in the Source Address field of the IP packet.

6.2.1 Authentication Problems

One possible consequence of this behavior is that a misconfigured
machine may send syslog messages to a collector representing itself
as another machine. The administrative staff may become confused
that the status of the supposed sender of the messages may not be
accurately reflected in the received messages. The administrators
may not be able to readily discern that there are two or more
machines representing themselves as the same machine.

It should also be noted that some cases of filling the HOSTNAME field
in the HEADER part might only have local significance and that may
only be ephemeral. If the device had obtained an IP address from a
DHCP pool, then any association between an identifier and an actual
source would not always hold true. The inclusion of a fully
qualified domain name in the CONTENT may give the administrators the
best chance of identifying the source of each message if it can
always be associated with an IP address or if it can always be
associated with a unique machine.

6.2.2 Message Forgery

Malicious exploits of this behavior have also been noted. An
attacker may transmit syslog messages (either from the machine from
which the messages are purportedly sent or from any other machine) to
a collector. In one case, an attacker may hide the true nature of an
attack amidst many other messages. As an example, an attacker may
start generating forged messages indicating a problem on some
machine. This may get the attention of the system administrators who
will spend their time investigating the alleged problem. During this
time, the attacker may be able to compromise a different machine, or
a different process on the same machine. Additionally, an attacker
may generate false syslog messages to give untrue indications of
status or of events. As an example, an attacker may stop a critical
process on a machine, which may generate a notification of exit. The
attacker may subsequently generate a forged notification that the
process had been restarted. The system administrators may accept
that misinformation and not verify that the process had indeed been
restarted.

6.3 Sequenced Delivery

As a general rule, the forensics of a network anomaly rely upon
reconstructing the sequence of events. In a perfect world, the
messages would be received on the syslog collector in the order of
their generation from the other devices and anyone looking at these
records would have an accurate picture of the sequence of events.
Unfortunately, the syslog process and protocol do not ensure ordered
delivery. This section details some of the problems that may be
encountered from this.

6.3.1 Single Source to a Destination

The syslog records are usually presented (placed in a file, displayed
on the console, etc.) in the order in which they are received. This
is not always in accordance with the sequence in which they were
generated. As they are transported across an IP network, some out of
order receipt should be expected. This may lead to some confusion as

messages may be received that would indicate that a process has
stopped before it was started. This may be somewhat rectified if the
originating process had timestamped or numbered each of the messages
before transmission. In this, the sending device should utilize an
authoritative time source. It should be remembered, however, that
not all devices are capable of receiving time updates, and not all
devices can timestamp their messages.

6.3.2 Multiple Sources to a Destination

In syslog, there is no concept of unified event numbering. Single
devices are free to include a sequence number within the CONTENT but
that can hardly be coordinated between multiple devices. In such
cases, multiple devices may report that each one is sending message
number one. Again, this may be rectified somewhat if the sending
devices utilize a timestamp from an authoritative source in their
messages. As has been noted, however, even messages from a single
device to a single collector may be received out of order. This
situation is compounded when there are several devices configured to
send their syslog messages to a single collector. Messages from one
device may be delayed so the collector receives messages from another
device first even though the messages from the first device were
generated before the messages from the second. If there is no
timestamp or coordinated sequence number, then the messages may be
presented in the order in which they were received which may give an
inaccurate view of the sequence of actual events.

6.3.3 Multiple Sources to Multiple Destinations

The plethora of configuration options available to the network
administrators may further skew the perception of the order of
events. It is possible to configure a group of devices to send the
status messages -or other informative messages- to one collector,
while sending messages of relatively higher importance to another
collector. Additionally, the messages may be sent to different files
on the same collector. If the messages do not contain timestamps
from the source, it may be difficult to order the messages if they
are kept in different places. An administrator may not be able to
determine if a record in one file occurred before or after a record
in a different file. This may be somewhat alleviated by placing
marking messages with a timestamp into all destination files. If
these have coordinated timestamps, then there will be some indication
of the time of receipt of the individual messages.

6.3.4 Replaying

Without any sequence indication or timestamp, messages may be
recorded and replayed at a later time. An attacker may record a set
of messages that indicate normal activity of a machine. At a later
time, that attacker may remove that machine from the network and
replay the syslog messages to the collector. Even with a TIMESTAMP
field in the HEADER part, an attacker may record the packets and
could simply modify them to reflect the current time before
retransmitting them. The administrators may find nothing unusual in
the received messages and their receipt would falsely indicate normal
activity of the machine.

6.4 Reliable Delivery

As there is no mechanism within either the syslog process or the
protocol to ensure delivery, and since the underlying transport is
UDP, some messages may be lost. They may either be dropped through
network congestion, or they may be maliciously intercepted and
discarded. The consequences of the drop of one or more syslog
messages cannot be determined. If the messages are simple status
updates, then their non-receipt may either not be noticed, or it may
cause an annoyance for the system operators. On the other hand, if
the messages are more critical, then the administrators may not
become aware of a developing and potentially serious problem.
Messages may also be intercepted and discarded by an attacker as a
way to hide unauthorized activities.

6.5 Message Integrity

Besides being discarded, syslog messages may be damaged in transit,
or an attacker may maliciously modify them. In the case of a packet
containing a syslog message being damaged, there are various
mechanisms built into the link layer as well as into the IP [9] and
UDP protocols which may detect the damage. An intermediary router
may discard a damaged IP packet [10]. Damage to a UDP packet may be
detected by the receiving UDP module, which may silently discard it.
In any case, the original contents of the message will not be
delivered to the collector. Additionally, if an attacker is
positioned between the sender and collector of syslog messages, they
may be able to intercept and modify those messages while in-transit
to hide unauthorized activities.

6.6 Message Observation

While there are no strict guidelines pertaining to the event message
format, most syslog messages are generated in human readable form
with the assumption that capable administrators should be able to

read them and understand their meaning. Neither the syslog protocol
nor the syslog application have mechanisms to provide confidentiality
of the messages in transit. In most cases passing clear-text
messages is a benefit to the operations staff if they are sniffing
the packets off of the wire. The operations staff may be able to
read the messages and associate them with other events seen from
other packets crossing the wire to track down and correct problems.
Unfortunately, an attacker may also be able to observe the human-
readable contents of syslog messages. The attacker may then use the
knowledge gained from those messages to compromise a machine or do
other damage.

6.7 Message Prioritization and Differentiation

While the processes that create the messages may signify the
importance of the events through the use of the message Priority
value, there is no distinct association between this value and the
importance of delivery of the packet. As an example of this,
consider an application that generates two event messages. The first
is a normal status message but the second could be an important
message denoting a problem with the process. This second message
would have an appropriately higher Severity value associated with the
importance of that event. If the operators had configured that both
of these messages be transported to a syslog collector then they
would, in turn, be given to UDP for transmission. Under normal
conditions, no distinction would be made between them and they would
be transmitted in their order.

Again, under normal circumstances, the receiver would accept syslog
messages as they are received. If many devices are transmitting
normal status messages, but one is transmitting an important event
message, there is no inherent mechanism within the syslog protocol to
prioritize the important message over the other messages.

On a case-by-case basis, device operators may find some way to
associate the different levels with the quality of service
identifiers. As an example, the operators may elect to define some
linkage between syslog messages that have a specific Priority value
with a specific value to be used in the IPv4 Precedence field [9],
the IPv6 Traffic Class octet [11], or the Differentiated Services
field [12]. In the above example, the operators may have the ability
to associate the status message with normal delivery while
associating the message indicating a problem with a high reliability,
low latency queue as it goes through the network. This would have
the affect of prioritizing the essential messages before the normal
status messages. Even with this hop-by-hop prioritization, this
queuing mechanism could still lead to head of line blocking on the
transmitting device as well as buffer starvation on the receiving

device if there are many near-simultaneous messages being sent or
received. This behavior is not unique to syslog but is endemic to
all operations that transmit messages serially.

There are security concerns for this behavior. Head of line blocking
of the transmission of important event messages may relegate the
conveyance of important messages behind less important messages. If
the queue is cleared appropriately, this may only add seconds to the
transmission of the important message. On the other hand, if the
queue is not cleared, then important messages may not be transmitted.
Also at the receiving side, if the syslog receiver is suffering from
buffer starvation due to large numbers of messages being received
near-simultaneously, important messages may be dropped
indiscriminately along with other messages. While these are problems
with the devices and their capacities, the protocol security concern
is that there is no prioritization of the relatively more important
messages over the less important messages.

6.8 Misconfiguration

Since there is no control information distributed about any messages
or configurations, it is wholly the responsibility of the network
administrator to ensure that the messages are actually going to the
intended recipient. Cases have been noted where devices were
inadvertently configured to send syslog messages to the wrong
receiver. In many cases, the inadvertent receiver may not be
configured to receive syslog messages and it will probably discard
them. In certain other cases, the receipt of syslog messages has
been known to cause problems for the unintended recipient [13]. If
messages are not going to the intended recipient, then they cannot be
reviewed or processed.

6.9 Forwarding Loop

As it is shown in Figure 1, machines may be configured to relay
syslog messages to subsequent relays before reaching a collector. In
one particular case, an administrator found that he had mistakenly
configured two relays to forward messages with certain Priority
values to each other. When either of these machines either received
or generated that type of message, it would forward it to the other
relay. That relay would, in turn, forward it back. This cycle did
cause degradation to the intervening network as well as to the
processing availability on the two devices. Network administrators
must take care to not cause such a death spiral.

6.10 Load Considerations

Network administrators must take the time to estimate the appropriate
size of the syslog receivers. An attacker may perform a Denial of
Service attack by filling the disk of the collector with false
messages. Placing the records in a circular file may alleviate this
but that has the consequence of not ensuring that an administrator
will be able to review the records in the future. Along this line, a
receiver or collector must have a network interface capable of
receiving all messages sent to it.

Administrators and network planners must also critically review the
network paths between the devices, the relays, and the collectors.
Generated syslog messages should not overwhelm any of the network
links.

7. IANA Considerations

The syslog protocol has been assigned UDP port 514. This port
assignment will be maintained by IANA exclusively for this protocol.

The syslog protocol provides for the definition of named attributes
to indicate the Severity of each message and the Facility that
generated the message as described in Section 4. The name space
identifiers for these attributes are defined as numbers. The
protocol does not define the specific assignment of the name space
for these numbers; the application developer or system vendor is
allowed to define the attribute, its semantics, and the associated
numbers. This name space will not be controlled to prevent
collisions as systems are expected to use the same attributes,
semantics and associated numbers to describe events that are deemed
similar even between heterogeneous devices.

8. Conclusion and Other Efforts

The syslog protocol may be effectively used to transport event
notification messages across a network. In all cases, it is
important that the syslog message receiver embody the principle of
"be liberal in what you accept". It is highly recommended that the
network operators who choose to use this understand the
characteristics of the protocol and its security implications.

There have been attempts in the past to standardize the format of the
syslog message. The most notable attempt culminated in a BOF at the
Fortieth Internet Engineering Task Force meeting in 1997. This was
the Universal Logging Protocol (ulp) BOF and the minutes of their
meeting are on-line at the IETF Proceedings web site [14].

Many good thoughts came from that effort and interested implementers
may want to find some of the notes or papers produced from that
effort.

At the time of this writing, efforts are underway to allow the usage
of international character sets in applications that have been
traditionally thought of as being text-only. The HOSTNAME and
TIMESTAMP fields described above are representative of this. Also,
the entire CONTENT field has traditionally been printing characters
and spaces in the code set known as US-ASCII. It is hoped that the
proponents of these internationalization efforts will find a suitable
way to allow the use of international character sets within syslog
messages without being disruptive. It should also be hoped that
implementers will allow for the future acceptance of additional code
sets and that they may make appropriate plans. Again, it must be
cautioned that the simplicity of the existing system has been a
tremendous value to its acceptance. Anything that lessens that
simplicity may diminish that value.

Acknowledgements

The following people provided content feedback during the writing of
this document:

Jon Knight <>
Magosanyi Arpad <>
Balazs Scheidler <>
Jon Callas <>
Eliot Lear <>
Petter Reinholdtsen <>
Darren Reed <>
Alfonso De Gregorio <>
Eric Allman <>
Andrew Ross <>
George Maslyar <>
Albert Mietus <>
Russ Allbery <>
Titus D. Winters <>
Edwin P. Boon <>
Jeroen M. Mostert <>

Eric Allman is the original inventor and author of the syslog daemon
and protocol. The author of this memo and the community at large
would like to express their appreciation for this work and for the
usefulness that it has provided over the years.

A large amount of additional information about this de-facto standard
operating system feature may usually be found in the syslog.conf file
as well as in the man pages for syslog.conf, syslog, syslogd, and
logger, of many Unix and Unix-like devices.

References

1 Postel, J., "User Datagram Protocol", STD 6, , August 1980.

2 Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", , November 1997.

3 USA Standard Code for Information Interchange, USASI X3.4-1968

4 Mockapetris, P., "Domain Names - Concepts and Facilities", STD 13,
, November 1987.

5 Mockapetris, P., "Domain names - Implementation and
Specification", STD 13, , November 1987.

6 Hinden, R. and S. Deering, "IP Version 6 Addressing Architecture",
, July 1998.

7 Data elements and interchange formats - Information exchange -
Representation of dates and times, International Organization for
Standardization, Reference number ISO 8601 : 1988 (E), 1988

8 Stowe, M., et al, "Chemical Mimicry: Bolas Spiders Emit Components
of Moth Prey Species Sex Pheromones", Science, 1987

9 Postel, J., "Internet Protocol", STD 5, , September 1981.

10 Baker, F., "Requirements for IP Version 4 Routers", , June
1995.

11 Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6)
Specification", , December 1998.

12 Nichols, K., Blake, S., Baker, F. and D. Black, "Definition of the
Differentiated Services Field (DS Field) in the IPv4 and IPv6
Headers", , December 1998.

13 Cisco Systems Product Security Incident Response Team (PSIRT),
"Field Notice: Cisco IOS(r) Syslog Crash", January 11, 1999


14 Walker, D., IETF Secretariat, "Proceedings of the Fortieth
Internet Engineering Task Force, Washington, DC, USA, December 8-
12, 1997


Author's Address

Chris Lonvick
Cisco Systems
12515 Research Blvd.
Austin, TX, USA

Phone: +1.512.378.1182
EMail:

Full Copyright Statement

Copyright (C) The Internet Society (2001). All Rights Reserved.

This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.

The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.

This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

Funding for the RFC Editor function is currently provided by the
Internet Society.

 

Previous:

 

Next:


==========================================

Syslog notes

Notes

A critical part of the system managers job is monitoring the system. Most Unix systems use SYSLOG to do this. Syslog allows you to encode messages by level and by facility. Levels can be considered various levels of a problem (e.g. warning, error, emergency) whereas facilities are considered to be service areas (e.g. printing, email, network ). Syslog also allows you to forward log entries to another machine for processing, in this way syslog functions as a distributed error manager.

 LOG_EMERG     A panic condition.  This is normally broadcast to all
users.

LOG_ALERT A condition that should be corrected immediately,
such as a corrupted system database.

LOG_CRIT Critical conditions, e.g., hard device errors.

LOG_ERR Errors.

LOG_WARNING Warning messages.

LOG_NOTICE Conditions that are not error conditions, but should
possibly be handled specially.

LOG_INFO Informational messages.

LOG_DEBUG Messages that contain information normally of
use only when debugging a program.



     /  A filename (beginning with a leading slash).  The file will be opened
in append mode.

@ A hostname preceded by an at sign (``@''). Selected messages are
forwarded to the syslogd on the named host.

Letter A comma-separated list of users. Selected messages are written to
those users if they are logged in.

* An asterisk. Selected messages are written to all logged-in users.

| A |, followed immediately by a program name, which is taken to be all
chars after the | up to the next tab; at least one action must follow
the tab. The filter is expected to read stdin, and write the filtered
response to stdout. If the filter exits with a non-zero value, the
original message is logged, as well as a message that the filter
failed. The filter has a limited time (currently 8 seconds) to
process the message. If the filter exits with status 0 without
writing any data, no message is logged. The data to be read by the
filter is not terminated with a newline, nor should the data written
have a newline appended.




Feb 27 01:01:04 umbc9 syslogd: restart
Feb 27 01:01:14 umbc9 telnetd[1803]: connect from annex3.umbc.edu
Feb 27 01:02:15 umbc9 rlogind[1845]: connect from annex1.umbc.edu
Feb 27 01:02:44 umbc9 lpd[1879]: /usr/adm/acsps-errs: No such file or
directory
Feb 27 01:07:08 umbc9 telnetd[1914]: connect from annex1.umbc.edu
Feb 27 01:08:06 umbc9 rlogind[1946]: connect from annex1.umbc.edu
Feb 27 01:10:28 umbc9 rshd[1985]: connect from xxxx@deputy.cs.umbc.edu
Feb 27 01:10:30 umbc9 rlogind[1993]: connect from xxxx@deputy.cs.umbc.edu
Feb 27 01:13:01 umbc9 sendmail[2042]: BAA02041: to=xzy@picard.cs.wisc.edu,
delay=00:00:02, mailer=nullclient, relay=mailhub1.gl.umbc.edu. (130.85.3.11),
stat=Sent (BAA04370 Message accepted for delivery)
Feb 27 02:10:33 umbc9 in.fingerd[3180]: connect from xxx1@umbc9.umbc.edu
Feb 27 02:10:58 umbc9 in.fingerd[3185]: connect from xxx1@umbc9.umbc.edu
Feb 27 02:12:30 umbc9 in.fingerd[3202]: connect from xxx1@umbc9.umbc.edu
Feb 27 02:27:28 umbc9 telnetd[3818]: connect from xxxx@e2-umbc8.umbc.edu
Feb 27 02:39:31 umbc9 in.fingerd[4023]: connect from mcl.mcl.ucsb.edu
Feb 27 05:00:49 umbc9 fsr[4263]: %frag after %free after npass fs
Feb 27 05:00:49 umbc9 fsr[4263]: 1.16 1.02 0.16 0.05 7
/dev/root
Feb 27 05:00:49 umbc9 fsr[4263]: NaN NaN 0.00 0.00 7
/dev/dsk/ dks1d1s6
Feb 27 05:00:49 umbc9 fsr[4263]: 0.72 0.24 0.01 0.01 7
/dev/dsk/ dks1d1s1
Feb 27 05:00:49 umbc9 fsr[4263]: 1.78 1.77 0.03 0.02 7
/dev/usr
Feb 27 05:00:49 umbc9 fsr[4263]: 1.48 1.48 0.02 0.02 8
/dev/dsk/ dks1d2s7
Feb 27 15:18:14 umbc9 ypxfr[10239]: Can't get master of mail.aliases. Reason:
no such map in server's domain.

Unix has a large number of files that hold logging information. Most of these files are stored in /var/adm. Table 12.1 on Pg. 204 lists a number of these log files and gives a brief description of what they log. I will summarize a few of the important ones.
/var/adm/messages
The messages file holds information that prints to the console. These might include root logins and su attempts. This file has generally been superceded by the SYSLOG facility and may not be found.
/var/adm/lastlog
This file holds the most recent login time for each user in the system. On some systems this is a directory with each user stored as a single record. The directory hold a record for each person that has ever logged in. It can be used to track login records.
The utmp and wtmp files.
The utmp file is where information such as the terminal line, login time, and command executing are stored for access by the who command. The wtmp keeps track of logins and logouts since reboot. The command last reads that file and processes the information.
/var/adm/acct
This is the system accounting file. If enabled, the accounting file records a record for every process listing the following information:
  • username who ran the command
  • name of the command
  • CPU time used
  • completion timestamp of the process
  • Flag indicating completion status
      Accounting information can be very useful in monitoring who is doing what on your system. In addition, by summarizing accounting to develop cummulative statistics you can often build a case for upgrading the system.
      /var/adm/sulog
      The sulog file holds records for everyone that has su'ed on the system. here is a sample.
      SU 03/07 17:00 - ttyq18 nicholas-shollo1
      SU 03/07 17:22 + ttyq35 jack-root

      /var/adm/lpd-errs or /var/spool/lpd
      Many sites direct the SYSLOG output for the lpd system to this file. This file is then monitored for problems.
      (Wed Nov 16 18:03:44 1994) /usr/lib/lpd: cp1ln03: 
      cannot open /dev/tty53 (Socket is already connected)
      (Mon Jan 9 15:00:47 1995) /usr/lib/lpd: cp1ln03:
      cannot open /dev/tty53 (Socket is already connected)

      Mail logging
      Sendmail can be logged through syslog. We'll discuss the logging
      output when we go over sendmail. Below is a sample message.
      Mar 7 04:05:12 ds1.gl.umbc.edu sendmail[20178]: EAA20177:
      to=, ctladdr=
      (29074/32), delay=00:00:57, mailer=smtp,
      relay=merle.acns.nwu.edu. [0], stat=Deferred: Name server:
      merle.acns.nwu.edu .: host name lookup failure

Logging is a critical responsibility of the system administrator. However, in large modern system the amount of information generated can overwhelm most system administrators. Most system administrators develop scritps or tools to examine the log files and extract the important information. This is necessary; however a comprehensive method for monitoring distributed Unix systems is long overdue and a worthy research goal
==========================================
Network Working Group                                             D. New
Request for Comments: 3195 M. Rose
Category: Standards Track Dover Beach Consulting, Inc.
November 2001


Reliable Delivery for syslog

Status of this Memo

This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.

Copyright Notice

Copyright (C) The Internet Society (2001). All Rights Reserved.

Abstract

The BSD Syslog Protocol describes a number of service options related
to propagating event messages. This memo describes two mappings of
the syslog protocol to TCP connections, both useful for reliable
delivery of event messages. The first provides a trivial mapping
maximizing backward compatibility. The second provides a more
complete mapping. Both provide a degree of robustness and security
in message delivery that is unavailable to the usual UDP-based syslog
protocol, by providing encryption and authentication over a
connection-oriented protocol.




















New & Rose Standards Track [Page 1]

RFC 3195 Reliable Delivery for syslog November 2001


Table of Contents

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. The Model . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. The RAW Profile . . . . . . . . . . . . . . . . . . . . . . 7
3.1 RAW Profile Overview . . . . . . . . . . . . . . . . . . . . 7
3.2 RAW Profile Identification and Initialization . . . . . . . 9
3.3 RAW Profile Message Syntax . . . . . . . . . . . . . . . . . 10
3.4 RAW Profile Message Semantics . . . . . . . . . . . . . . . 10
4. The COOKED Profile . . . . . . . . . . . . . . . . . . . . . 11
4.1 COOKED Profile Overview . . . . . . . . . . . . . . . . . . 11
4.2 COOKED Profile Identification and Initialization . . . . . . 11
4.3 COOKED Profile Message Syntax . . . . . . . . . . . . . . . 11
4.4 COOKED Profile Message Semantics . . . . . . . . . . . . . . 12
4.4.1 The IAM Element . . . . . . . . . . . . . . . . . . . . . . 12
4.4.2 The ENTRY Element . . . . . . . . . . . . . . . . . . . . . 14
4.4.3 The PATH Element . . . . . . . . . . . . . . . . . . . . . . 19
5. Additional Provisioning . . . . . . . . . . . . . . . . . . 25
5.1 Message Authenticity . . . . . . . . . . . . . . . . . . . . 25
5.2 Message Replay . . . . . . . . . . . . . . . . . . . . . . . 25
5.3 Message Integrity . . . . . . . . . . . . . . . . . . . . . 25
5.4 Message Observation . . . . . . . . . . . . . . . . . . . . 26
5.5 Summary of Recommended Practices . . . . . . . . . . . . . . 26
6. Initial Registrations . . . . . . . . . . . . . . . . . . . 27
6.1 Registration: The RAW Profile . . . . . . . . . . . . . . . 27
6.2 Registration: The COOKED Profile . . . . . . . . . . . . . . 27
7. The syslog DTD . . . . . . . . . . . . . . . . . . . . . . . 28
8. Reply Codes . . . . . . . . . . . . . . . . . . . . . . . . 32
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . 33
9.1 Registration: BEEP Profiles . . . . . . . . . . . . . . . . 33
9.2 Registration: The System (Well-Known) TCP port number for
syslog-conn . . . . . . . . . . . . . . . . . . . . . . . 33
10. Security Considerations . . . . . . . . . . . . . . . . . . 34
11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 34
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 34
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 35
Full Copyright Statement . . . . . . . . . . . . . . . . . . . . . 36














New & Rose Standards Track [Page 2]

RFC 3195 Reliable Delivery for syslog November 2001


1. Introduction

The syslog protocol [1] presents a spectrum of service options for
provisioning an event-based logging service over a network. Each
option has associated benefits and costs. Accordingly, the choice as
to what combination of options is provisioned is both an engineering
and administrative decision. This memo describes how to realize the
syslog protocol when reliable delivery is selected as a required
service. It is beyond the scope of this memo to argue for, or
against, the use of reliable delivery for the syslog protocol.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [2].





































New & Rose Standards Track [Page 3]

RFC 3195 Reliable Delivery for syslog November 2001


2. The Model

The syslog service supports three roles of operation: device, relay,
and collector.

Devices and collectors act as sources and sinks, respectively, of
syslog entries. In the simplest case, only a device and collector
are present. E.g.,

+--------+ +-----------+
| Device | -----> | Collector |
+--------+ +-----------+

The relationship between devices and collectors is potentially many-
to-many. I.e., a device might communicate with many collectors;
similarly, a collector might communicate with many devices.

A relay operates in both modes, accepting syslog entries from devices
and other relays and forwarding those entries to collectors and other
relays.

For example,

+--------+ +-------+ +-------+ +-----------+
| Device | ---> | Relay | -...-> | Relay | ---> | Collector |
+--------+ +-------+ +-------+ +-----------+

As shown, more than one relay may be present between any particular
device and collector.

A relay may be necessary for administrative reasons. For example, a
relay might run as an application proxy on a firewall. Also, there
might be one relay per company department, which authenticates all
the devices in the department, and which in turn authenticates itself
to a company-wide collector.

A relay can also serve to filter messages. For example, one relay
may collect the syslog information from an entire web server farm,
summarizing hit counts for report generation, forwarding "page not
found" messages (indicating a possible broken link) to a collector
that presents it to the webmaster, and sending more urgent messages
(such as hardware failure reports) to a collector that gateways them
to a pager. A relay may also be used to convert formats from a
device's output to a collector's input.

It should be noted that a role of device, relay, or collector is
relevant only to a particular BEEP channel (q.v., below). A single
server can serve as a device, a relay, and a collector, all at once,



New & Rose Standards Track [Page 4]

RFC 3195 Reliable Delivery for syslog November 2001


if so configured. It can even serve as a relay and a collector to
the same device at the same time using different BEEP channels over
the same connection-oriented session; this might be useful to collect
status yet relay urgent error messages.

To provide reliable delivery when realizing the syslog protocol, this
memo defines two BEEP profiles. BEEP [3] is a generic application
protocol framework for connection-oriented, asynchronous
interactions. Within BEEP, features such as authentication, privacy,
and reliability through retransmission are provided. There are two
profiles defined in this memo:

o The RAW profile is designed to provide a high-performance, low-
impact footprint, using essentially the same format as the
existing UDP-based syslog service.

o The COOKED profile is designed to provide a structured entry
format, in which individual entries are acknowledged (either
positively or negatively).

Note that both profiles run over BEEP. BEEP defines "transport
mappings," specifying how BEEP messages are carried over the
underlying transport technologies. At the time of this writing, only
one such transport is defined, in [4], which specifies BEEP over TCP.
All transport mappings are required to support enough reliability and
sequencing to allow all BEEP messages on a given channel to be
delivered reliably and in order. Hence, both the RAW and COOKED
profile provide reliable delivery of their messages.

The choice of profile is independent of the operational roles
discussed above.

For example, in

+--------+ +-------+ +-----------+
| Device | -----> | Relay | -----> | Collector |
+--------+ +-------+ +-----------+

the device-to-relay link could be configured to use the RAW profile,
while the relay-to-collector link could be configured to use the
COOKED profile. (For example, the relay may be parsing the RAW
syslog messages from the device, knowing the details of their
formats, before passing them to a more generic collector.) Indeed,
the same device may use different profiles, depending on the
collector to which it is sending entries.






New & Rose Standards Track [Page 5]

RFC 3195 Reliable Delivery for syslog November 2001


Devices and relays MAY discover relays and collectors via the DNS SRV
algorithm [5]. If so configured, the service used is "syslog" and
the protocol used is "tcp". This allows for central administration
of addressing, fallback for failed relays and collectors, and static
load balancing. Security policies and hardware configurations may be
such that device configuration is more secure than the DNS server.
Hardware devices may be of such limited resources that DNS SRV access
is inappropriate. Firewalls and other restrictive routing mechanisms
may need to be dealt with before a reliable syslog connection can be
established. In these cases, DNS might not be the most appropriate
configuration mechanism.








































New & Rose Standards Track [Page 6]

RFC 3195 Reliable Delivery for syslog November 2001


3. The RAW Profile

3.1 RAW Profile Overview

The RAW profile is designed for minimal implementation effort, high
efficiency, and backwards compatibility. It is appropriate
especially in cases where legacy syslog processing will be applied.

It should be noted that even though the RAW profile uses the same
format for message payloads as the UDP version of syslog uses,
delivery is reliable. The RAW syslog profile is a profile of BEEP
[3], and BEEP guarantees ordered reliable delivery of messages within
each individual channel.

When the profile is started, no piggyback data is supplied. All BEEP
messages in the RAW profile are specified as having a MIME Content-
Type [6] of application/octet-stream. Once the channel is open, the
listener (not the initiator) sends a MSG message indicating it is
ready to act as a syslog sink. (Refer to [3]'s Section 2.1 for a
discussion of roles that a BEEP peer may perform, including
definitions of the terms "listener", "initiator", "client", and
"server".)

The initiator uses ANS replies to supply one or more syslog entries
in the current UDP format, as specified in [1]'s Section 3. When the
initiator has no more entries to send, it finishes with a NUL reply
and closes the channel.

An example might appear as follows:

L:
I:
L: RPY 0 0 . 0 201
L: Content-type: application/beep+xml
L:
L:
L: L: uri='' />
L:
L:

L: END
I: RPY 0 0 . 0 52
I: Content-type: application/beep+xml
I:
I:
I: END
I: MSG 0 1 . 52 133
I: Content-type: application/beep+xml



New & Rose Standards Track [Page 7]

RFC 3195 Reliable Delivery for syslog November 2001


I:
I:
I:
I:

I: END
L: RPY 0 1 . 201 100
L: Content-type: application/beep+xml
L:
L:
L: END
L: MSG 1 0 . 0 50
L:
L: Central Services. This has not been a recording.
L: END
I: ANS 1 0 . 0 61 0
I:
I: <29>Oct 27 13:21:08 ductwork imxpd[141]: Heating emergency.END
I: ANS 1 0 . 61 58 1
I:
I: <29>Oct 27 13:22:15 ductwork imxpd[141]: Contact Tuttle.END
I: NUL 1 0 . 119 0
I: END
L: MSG 0 3 . 301 70
L: Content-Type: application/beep+xml
L:
L:
L: END
I: RPY 0 3 . 185 46
I: Content-Type: application/beep+xml
I:
I:
I: END
I: MSG 0 4 . 231 72
I: Content-Type: application/beep+xml
I:
I:
I: END
L: RPY 0 4 . 371 46
L: Content-type: application/beep+xml
L:
L:
L: END
L:
I:
L:






New & Rose Standards Track [Page 8]

RFC 3195 Reliable Delivery for syslog November 2001


Here we see a BEEP session established, followed by the use of the
RAW profile. The initiator is a device, while the listener is a
collector. The initiator opens the channel, but the listener sends
the first MSG. This allows the initiator to send any number of ANS
replies carrying syslog event messages. The initiator sends a NUL
reply to indicate it is finished. Upon receiving the NUL, the
listener closes the RAW channel. The initiator has the choice of
closing the entire BEEP session or opening a new syslog channel (RAW
or COOKED) for more transfers. In this example, the initiator
chooses to close the entire BEEP session.

The overhead for one ANS frame is about thirty octets, once the
initial handshakes have been exchanged. If this overhead is too
high, then messages are likely being generated at a high rate. In
this case, multiple syslog messages can be aggregated into a single
ANS frame, each separated by a CRLF sequence from the preceding. The
final message still MUST NOT end with a CRLF.

For example,

L: MSG 1 0 . 0 50
L:
L: Central Services. This has not been a recording.
L: END
I: ANS 1 0 . 0 119 0
I:
I: <29>Oct 27 13:21:08 ductwork imxpd[141]: Heating emergency.
I: <29>Oct 27 13:21:09 ductwork imxpd[141]: Contact Tuttle.END
I: NUL 1 0 . 119 0
I: END

3.2 RAW Profile Identification and Initialization

The RAW syslog profile is identified as



in the BEEP "profile" element during channel creation.

No data is piggybacked during channel creation.











New & Rose Standards Track [Page 9]

RFC 3195 Reliable Delivery for syslog November 2001


3.3 RAW Profile Message Syntax

All BEEP messages in this profile have a MIME content-type of
application/octet-stream. The listener's first BEEP message is
ignored and indeed may be empty except for headers; hence, any syntax
is acceptable.

The ANS replies the initiator sends in response MUST be formatted
according to Section 4 of [1]. In particular, If the receiver is
acting as a relay, then it MUST follow the rules as laid out in
Section 4.2.2 of [1].

If multiple syslog messages are included in a single ANS reply, each
is separated from the preceding with a CRLF. There is no ending
delimiter, but each syslog event message body length MUST be 1024
bytes or less, excluding BEEP framing overhead. Note that there MUST
NOT be a CRLF between the text of the final syslog event message and
the "END" marking the trailer of the BEEP frame.

3.4 RAW Profile Message Semantics

The listener's opening BEEP MSG message has no semantics. (It is a
good place to put in an identifying greeting.) The initiator's ANS
replies MUST specify a facility, severity, and textual message, as
described in [1].


























New & Rose Standards Track [Page 10]

RFC 3195 Reliable Delivery for syslog November 2001


4. The COOKED Profile

4.1 COOKED Profile Overview

The COOKED profile is designed for new implementations of syslog
protocol handlers. It provides a much finer grain of information
tagging, allowing a better degree of automation in processing.
Naturally, it includes more overhead as well in support of this.

The COOKED profile supports three elements of interest:

o The "iam" element identifies the sender to the receiver, allowing
each peer to name itself for the other, and specifying the roles
(device, relay, or collector) each is taking on.

o The "entry" element provides a parsed version of the syslog entry,
with the various fields of interest broken out.

o The "path" element identifies a list of relays through which a
tagged collection of "entry" elements has passed, along with a set
of flags indicating what assurances of security have been in
effect throughout its delivery.

4.2 COOKED Profile Identification and Initialization

The COOKED syslog profile is identified as



in the BEEP "profile" element during channel creation.

During channel creation, the corresponding "profile" element in the
BEEP "start" element may contain an "iam" element. If channel
creation is successful, then before sending the corresponding reply,
the BEEP peer processes the "iam" element and includes the resulting
response in the reply. This response will be an "ok" element or an
"error" element. The choice of which element is returned is
dependent on local provisioning of the recipient. Including an "iam"
in the initial "start" element has exactly the same semantics as
passing it as the first MSG message on the channel.

4.3 COOKED Profile Message Syntax

All BEEP messages in this profile have a MIME Content-Type [6] of
application/beep+xml. The syntax of the individual elements is
specified in Section 7.





New & Rose Standards Track [Page 11]

RFC 3195 Reliable Delivery for syslog November 2001


4.4 COOKED Profile Message Semantics

Initiators issue two elements: "iam" and "entry", each using a "MSG"
message. The listener issues "ok" in "RPY" messages and "error" in
"ERR" messages. (See [3]'s Section 2.3.1 for the definitions of the
"error" and "ok" elements.)

4.4.1 The IAM Element

The "iam" element serves to identify a device, relay, or collector at
one end of the BEEP channel to the device, relay, or collector at the
other end of the channel. The "iam" element includes the type of
peer (device, relay, or collector), the fully qualified domain name
of the peer, and an IP address of the peer. (The IP address chosen
SHOULD be the IP address associated with the underlying transport
protocol carrying the channel.) The character data of the element is
free-form human-readable text. It may be used to further identify
the peer, such as by describing the physical location of the machine.

An "iam" element may be sent by the initiator of the channel at any
time. The listener responds to an "iam" element with an "ok"
(indicating acceptance), or an "error" (indicating rejection). The
identity and role in effect is specified by the most recent "iam"
answered with an "ok".

An "iam" could be rejected (with an "error" element) by the listener
if the privacy or authentication that has been negotiated is
inadequate or if the authenticated user does not have authorization
to serve in the specified role. It is expected that most
installations will require an "iam" from the peer before accepting
any "entry" messages.




















New & Rose Standards Track [Page 12]

RFC 3195 Reliable Delivery for syslog November 2001


For example, a successful creation might look like this:

I: MSG 0 10 . 1832 259
I: Content-type: application/beep+xml
I:
I:
I: I: uri=''>
I: I: type='device'/> ]]>
I:

I:
L: END
L: RPY 0 10 . 704 138
L: Content-type: application/beep+xml
L:
L:
L: ]]>
L:

L: END

A creation with an embedded "iam" that fails might look like this:

C: MSG 0 12 . 1832 259
C: Content-type: application/beep+xml
C:
C:
C: C: uri=''>
C: C: type='relay'/> ]]>
C:
C:

C: END
S: RPY 0 12 . 704 241
S: Content-type: application/beep+xml
S:
S:
S: S: User 'buttle.example.com' not allowed
S: to "iam" for 'tuttle.example.com'
]]>
S:

S: END

In this case, the error code indicates that the user
"buttle.example.com" has logged in via some SASL profile, but the
syslog COOKED profile implementation is claiming to be
"tuttle.example.com", a mismatch that the server is disallowing.



New & Rose Standards Track [Page 13]

RFC 3195 Reliable Delivery for syslog November 2001


4.4.2 The ENTRY Element

The "entry" element carries the details of a single syslog entry. The
attributes of an "entry" element include "facility", "severity",
"timestamp", "hostname", and "tag". "Facility" and "severity" have
the semantics defined in [1]'s 4.1. The other attributes have the
semantics as in Sections 4.2.1 and 4.2.3 of [1]. An "entry" element
can also contain a "pathID" attribute, described below.

If the client is a relay, the "entry" SHOULD also contain the
attributes "deviceFQDN" and "deviceIP", specifying the FQDN and IP
address of the device that originally created the entry. These
attributes may be added by either the relay or the originating
device. If possible, the device SHOULD add these entries, referring
to the interface most closely associated with the syslog entry.
Before a relay forwards an entry from a device that does not carry
these attributes, it SHOULD add them based on the "iam" element it
has received from the device, or based on the underlying transport
connection address. A relay MUST NOT add these fields if they are
missing and an "iam" element on the channel has indicated that
messages are coming from another relay.

The "pathID" attribute indicates the path over which this entry has
travelled, from device through relays to the final collector.
Syntactically, its value is a string of digits that must match the
"pathID" attribute of a "path" element sent earlier over the current
channel. Semantically, it indicates that the list of relays and
flags indicated in that earlier "path" element apply to this "entry"
element.

The character data for the element is the unstructured syslog event
message being logged. If the original device delivers the message
for the first time via the COOKED profile, it may have any structure
inside the CDATA. However, for maximum compatibility, the device
SHOULD format the CDATA of the message in accordance with Sections
4.2.1 through 4.2.3 of [1].















New & Rose Standards Track [Page 14]

RFC 3195 Reliable Delivery for syslog November 2001


In the message is being relayed, "tag" SHOULD be those of the
original device generating the entry (unless the device cannot supply
a tag). The "timestamp" SHOULD be that of the original entry
generation time, rather than the time the entry was passed outward
from the relay. The "hostname" SHOULD be the host name or IP address
by which the device knows itself; this MUST follow the rules
established in Sections 4.2.1 through 4.2.3 of [1]. The original
contents of the syslog message MUST be preserved in the CDATA of the
"entry" element; this includes preservation of exact content during
translation from the UDP or RAW formats. In particular, the
timestamps MUST NOT be rewritten in the CDATA of the "entry" element,
the tag MUST NOT be removed from the CDATA even if presented in the
"entry" attributes as well, and so on.

To be consistent with the spirit of [1], a relay receiving a message
that does not contain a valid priority, timestamp or hostname will
follow the same general rules as described in section 4.2.2 of [1]
while including the exact contents of the received syslog packet as
the CDATA. The values of the facility and severity will be construed
to be 8 and 6 respectively and will be placed into the appropriate
attributes of the "entry" element. The hostname will be the name of
the device as it is known to the relay and will also be inserted into
the "entry" element's attributes. The timestamp would be set to the
received time, inserted only into the attributes of the "entry"
element. As an example, consider this message received on UDP port
514 and interpreted as a traditional syslog message, assuming the
underlying IP source address is that of the "pipeworks" machine:

<.....eeeek!

To be relayed, it must be modified as follows:

C: MSG 1 0 . 2079 156
C: Content-Type: application/beep+xml
C:
C: C: hostname='pipeworks'
C: timestamp='Oct 31 23:59:59'
C: ><.....eeeek!

C: END
S: RPY 1 0 . 933 45
S: Content-Type: application/beep+xml
S:
S:
S: END






New & Rose Standards Track [Page 15]

RFC 3195 Reliable Delivery for syslog November 2001


As another example, consider a message being received that does not
properly adhere to the conventions described in Section 4.2.2 of [1].
In particular, the timestamp has a year, making it a nonstandard
format:

<166> 1990 Oct 22 01:00:00 bomb tick[0]: BOOM!

This would be relayed as follows:

C: MSG 1 0 . 2235 242
C: Content-Type: application/beep+xml
C:
C: C: hostname='bomb'
C: deviceFQDN='bomb.terrorist.net' deviceIP='10.0.0.83'
C: timestamp='Oct 22 01:00:04'
C: ><166> 1990 Oct 22 01:00:00 bomb tick[0]: BOOM!

C: END
S: RPY 1 0 . 978 45
S: Content-Type: application/beep+xml
S:
S:
S: END

Note that the tag value was not readily apparent from the received
message (due to the failed parsing of the timestamp), so it was not
included in the "entry" element.

It is explicitly permitted for a relay to parse raw messages in a
more sophisticated way, but all implementations MUST be able to parse
messages presented in the format described in [1]. A more
sophisticated relay could have recognized the year and completely
parsed out the correct time, tag, and hostname, but such additional
parsing capability is OPTIONAL.

Consider the following example, in contrast:

<166> Oct 22 01:00:00 bomb tick[0]: BOOM!













New & Rose Standards Track [Page 16]

RFC 3195 Reliable Delivery for syslog November 2001


This conformant message would be relayed as follows:

C: MSG 1 0 . 2477 248
C: Content-Type: application/beep+xml
C:
C: C: hostname='bomb'
C: deviceFQDN='bomb.terrorist.net' deviceIP='10.0.0.83'
C: timestamp='Oct 22 01:00:00' tag='tick'
C: ><166> Oct 22 01:00:00 bomb tick[0]: BOOM!

C: END
S: RPY 1 0 . 1023 45
S: Content-Type: application/beep+xml
S:
S:
S: END

In this case, the tag is detected and the timestamp represents the
message generation time rather than the message reception time.

Finally, the "entry" element may also contain an "xml:lang"
attribute, indicating the language in which the CDATA content of the
tag is presented, as described in [7].

The "entry" element is answered with either an empty "ok" element if
everything was successful, or a standard "error" element if there was
a problem. An "entry" element can be rejected if no "iam" element
has been accepted by the listener. It can also be rejected if the
user authenticated on the BEEP session (if any) does not have the
authority to generate (as a device) or relay that entry. An error is
also possible if the "pathID" attribute refers to an unknown (or
rejected) "path" element.



















New & Rose Standards Track [Page 17]

RFC 3195 Reliable Delivery for syslog November 2001


A successful exchange of an "entry" element may look like this:

C: MSG 1 0 . 2725 173
C: Content-Type: application/beep+xml
C:
C: C: timestamp='Jan 26 15:16:17'
C: hostname='pipework' tag='imxp'>
C: No 27B/6 available

C: END
S: RPY 1 0 . 1068 45
S: Content-Type: application/beep+xml
S:
S:
S: END

Here, the device IP address and FQDN are taken from the "iam"
element, if any, or from the underlying connection information.

An example where an "entry" element is rejected with an "error"
element:

C: MSG 1 2 . 2898 223
C: Content-Type: application/beep+xml
C:
C: C: deviceFQDN='jack.example.net' deviceIP='10.0.0.83'
C: tag='imxpd'>
C: Replacement device found in nostril.
C:

C: END
S: ERR 1 2 . 1113 111
S: Content-Type: application/beep+xml
S:
S: Not allowed to relay for
S: jack.example.net

S: END

Here, the client attempts to relay an entry on behalf of
jack.example.com, but the entry is refused by the collector for
administrative reasons. This may occur, for example, if
lowry.example.com is in a different department than jack.example.com.









New & Rose Standards Track [Page 18]

RFC 3195 Reliable Delivery for syslog November 2001


4.4.3 The PATH Element

The "path" element serves to describe a list of the relays through
which that element has passed, along with a set of flags that
indicate the properties that all links from the device to the relay
have shared in common. Each "path" element contains either another
"path" element or is empty. An empty "path" element identifies a
device, while a "path" element with a nested "path" element
identifies a relay. Each "path" element names a FQDN and IP address
of the interface that sent the element. Each "path" element also
names a FQDN and IP address for the interface that received the
element. Each "path" element also carries a "linkprops" attribute,
specifying the properties of the link it describes.

Each "path" element has a "pathID" attribute which must be unique for
all "path" elements sent on this channel since its inception.
Syntactically, the "pathID" attribute is a string of digits.
Semantically, it serves to identify one "path" element out of many,
and it serves to link a "path" element with one or more "entry"
elements. Any "pathID" attribute is unrelated to any "pathID"
attribute in nested "path" elements or on other channels.

Each "path" element has a "fromFQDN" attribute and an "fromIP"
attribute. The "fromFQDN" attribute SHOULD be the fully qualified
domain name of the interface over which the "path" element was sent.
(The "fromFQDN" can be omitted if that interface has no DNS entry.)
Similarly, the "fromIP" attribute MUST be the IP address of the
interface over which the "path" element was sent.

Each "path" element has a "toFQDN" attribute and an "toIP" attribute.
The "toFQDN" attribute SHOULD be the fully qualified domain name of
the interface over which the "path" element was received. (The
"toFQDN" can be omitted if that interface has no DNS entry.)
Similarly, the "toIP" attribute MUST be the IP address of the
interface over which the "path" element was received.

Finally, each "path" element carries a "linkprops" attribute. This
is syntactically a string of individual characters, each indicating
one property of the channel over which this "path" element is being
carried. Note that outer "path" elements may have stronger
guarantees than inner "path" elements; care should be taken in the
interpretation of flags. The semantics of each possible character in
this string are as follows:








New & Rose Standards Track [Page 19]

RFC 3195 Reliable Delivery for syslog November 2001


o: When present, "o" (lower-case letter "o") indicates that weak
privacy has been negotiated over this link, weakly protecting from
observation the content of entries associated with this "path"
element. (Weak privacy is encryption with less than 80 bits of
key.)

O: When present, "O" (upper-case letter "O") indicates that strong
privacy has been negotiated over this link, strongly protecting
from observation the content of entries associated with this
"path" element. (Strong privacy is encryption with 80 bits or
more of key, or a transfer mechanism that is otherwise impossible
to eavesdrop upon.)

U: When present, "U" indicates that a valid user has been
authenticated (via SASL or TLS) and an "iam" element has been
accepted.

A: When present, "A" indicates that this link has been protected by
an authentication layer, authenticating the source of every
"entry" associated with this path.

R: When present, "R" indicates that this link has been protected
against message replay.

I: When present, "I" indicates that this link has been protected
against modifications of messages in passing. ("I" stands for
message Integrity.)

L: When present, "L" indicates that this link has been protected
against loss of messages. That is, this is a reliable delivery
link.

D: When present, "D" indicates that the "from" side of this link is a
device. If this is not present on the innermost "path" element,
"entry" elements associated with this path have not been carried
by the COOKED profile for their entire lifetime.

Upon receiving a "path" element, the peer MUST perform the following
checks:

o The "fromFQDN" and "fromIP" must match the underlying transport
connection.

o The flags in the "linkprops" attribute must match the attributes
of the session.

o The "toFQDN" and "toIP" must match the underlying transport
connection.



New & Rose Standards Track [Page 20]

RFC 3195 Reliable Delivery for syslog November 2001


o The "pathID" attribute must be unique with respect to all other
"path" elements received on this channel.

If all these checks pass, the "path" element is accepted with an "ok"
element. Otherwise, an "error" element is generated with an
appropriate code. In addition, if any of the nested "path" elements
refer to the machine receiving the element, it may indicate a routing
loop in the configuration for the so-identified path, and appropriate
measures should be taken.

If the peer receiving an "entry" element is receiving it directly
from a device via either syslog-conn profile, and the device has not
generated a "path" element, the receiver may itself generate an
appropriate "path" element, either to be recorded in the logs (if
this peer is a collector) or passed to the next peer (if this peer is
a relay). If a peer receives a syslog message via UDP, it may
optionally generate an appropriate "peer" element based on any
cryptographic information provided in the message itself.

When a peer receives a "path" element, it remembers it for future
use. A collector will store it in the log for later reference. A
relay will remember it. When an "entry" arrives referencing the
received "path" element, and that entry needs to be forwarded to
another relay or collector, and no appropriate "path" element has
already been generated, an appropriate "path" element is generated
and sent over the outbound channel before the entry is forwarded. An
appropriate "path" element is created by taking the received "path"
element, wrapping it in a new "path" element with the appropriate
attributes, and assigning it a new "pathID" attribute. When future
"entry" elements arrive with the same incoming "pathID" attribute,
and they need to be forwarded to a channel over which an appropriate
"pathID" attribute has already been sent, only the "pathID" attribute
of the "entry" element needs to be rewritten to refer to the "path"
element on the outgoing channel.

It should be noted that the majority of the complexity in managing
"path" elements arises only in relays. In particular, devices never
need to generate "path" elements and collectors need only verify
them, log them, and possibly use them in displays and reports.
Collectors do not need to generate "path" elements or rewrite "entry"
elements. Hence, only in complex configurations (where they are most
useful) do complex "path" configurations occur.









New & Rose Standards Track [Page 21]

RFC 3195 Reliable Delivery for syslog November 2001


For example, here is a path element sent from
lowry.records.example.com to kurtzman.records.example.com. It
indicates that entries from lowry to kurtzman tagged with
pathID='173' originated from screen.lowry.records.example.com. It
indicates that screen.lowry.records.example.com is believed by
lowry.records.example.com to be the originating device, and that
entries over this path are delivered without loss and without
modification, although messages might be replayed or observed. The
link between lowry and kurtzman, however, avoids replay attacks, lost
messages, and modifications to messages. While
screen.lowry.records.example.com has not authenticated itself to
lowry.records.example.com, lowry claims to have authenticated itself
to kurtzman.

C: MSG 2 1 . 3121 426
C: Content-type: application/beep+xml
C:
C: C: fromIP='10.0.0.50'
C: toFQDN='kurtzman.records.example.com'
C: toIP='10.0.0.51'
C: linkprops='ULRI'
C: pathID='173'>
C: C: fromIP='10.0.0.47'
C: toFQDN='lowry.records.example.com'
C: toIP='10.0.0.50'
C: linkprops='DLI'
C: pathID='24'>
C:

C:

C: END
S: ERR 2 1 . 1224 114
S: Content-type: application/beep+xml
S:
S: linkprops includes 'U'
S: but no 'iam' received

S: END

However, kurtzman.records.example.com rejects the "path" element,
since the "linkprops" attribute claims that lowry has authenticated
itself, but kurtzman disagrees, not having received an "iam" element.









New & Rose Standards Track [Page 22]

RFC 3195 Reliable Delivery for syslog November 2001


In a second example, this "path" element informs
collector.example.com that the records department's firewall will be
forwarding "entry" elements with a "pathID" attribute whose value is
"17". These "entry" elements will be coming in on the "10.0.0.2"
interface of the firewall, to be forwarded out the "134.130.74.56"
interface of the firewall. The final hop has all possible
guarantees, although the entries transferred within the records
department (behind the firewall) may have been observed in passing.

C: MSG 2 2 . 3547 813
C: Content-type: application/beep+xml
C:
C: C: fromIP='134.130.74.56'
C: toFQDN='collector.example.com'
C: toIP='134.130.74.12'
C: linkprops='OUARIL'
C: pathID='17'>
C: C: fromIP='10.0.0.50'
C: toFQDN='fwall.records.example.com'
C: toIP='10.0.0.2'
C: linkprops='ULRI'
C: pathID='120'>
C: C: fromIP='10.0.0.50'
C: toFQDN='kurtzman.records.example.com'
C: toIP='10.0.0.51'
C: linkprops='ULRI'
C: pathID='173'>
C: C: fromIP='10.0.0.47'
C: toFQDN='lowry.records.example.com'
C: toIP='10.0.0.50'
C: linkprops='DLI'
C: pathID='24'>
C:

C: END
S: RPY 2 2 . 1338 45
S: Content-type: application/beep+xml
S:
S:
S: END








New & Rose Standards Track [Page 23]

RFC 3195 Reliable Delivery for syslog November 2001


As a final example, an "entry" element from Lowry's screen arrives at
the firewall. The "path" attribute is rewritten, and it is forwarded
on to the collector.

The entry arrives on the 10.0.0.2 interface:

C: MSG 2 3 . 4360 250
C: Content-Type: application/beep+xml
C:
C: C: timestamp='Oct 27 13:24:12'
C: deviceFQDN='screen.lowry.records.example.com'
C: deviceIP='10.0.0.47'
C: pathID='173'
C: tag='dvd'>
C: Job paused - Boss watching.
C:

C: END
S: RPY 2 3 . 1383 45
S: Content-Type: application/beep+xml
S:
S:
S: END

It is forwarded out the 134.130.74.56 interface:

C: MSG 7 9 . 9375 276
C: Content-Type: application/beep+xml
C:
C: C: timestamp='Oct 27 13:24:12'
C: deviceFQDN='screen.lowry.records.example.com'
C: deviceIP='10.0.0.47'
C: pathID='17'
C: tag='dvd'>
C: Job paused - Boss watching.
C:

C: END
S: RPY 7 9 . 338 45
S: Content-Type: application/beep+xml
S:
S:
S: END

A discussion of the wisdom of configuring Lowry's machine to forward
such messages via Kurtzman's machine is beyond the scope of this
document.




New & Rose Standards Track [Page 24]

RFC 3195 Reliable Delivery for syslog November 2001


5. Additional Provisioning

In more advanced configurations, syslog devices, relays, and
collectors can be configured to support various delivery priorities.
Multiple channels running the same profile can be opened between two
peers, with higher priority syslog messages routed to a channel that
is given more bandwidth. Such provisioning is a local matter.

syslog [1] discusses a number of reasons why privacy and
authentication of syslog entry messages may be important in a
networked computing environment. The nature of BEEP allows for
convenient layering of authentication and privacy over any BEEP
channel.

5.1 Message Authenticity

Section 6.2 of [1] discusses the dangers of unauthenticated syslog
entries. To prevent inauthentic syslog event messages from being
accepted, configure syslog peers to require the use of a strong
authentication technology for the BEEP session.

If provisioned for message authentication, implementations SHOULD use
SASL mechanism DIGEST-MD5 [8] to provision this service.

5.2 Message Replay

Section 6.3.4 of [1] discusses the dangers of syslog message replay.
To prevent syslog event messages from being replayed, configure
syslog peers to require the use of a strong authentication technology
for the BEEP session.

If provisioned to detect message replay, implementations SHOULD use
SASL mechanism DIGEST-MD5 [8] to provision this service.

5.3 Message Integrity

Section 6.5 of [1] discusses the dangers of syslog event messages
being maliciously altered by an attacker. To prevent messages from
being altered, configure syslog peers to require the use of a strong
authentication technology for the BEEP session.

If provisioned to protect message integrity, implementations SHOULD
use SASL mechanism DIGEST-MD5 [8] to provision this service.








New & Rose Standards Track [Page 25]

RFC 3195 Reliable Delivery for syslog November 2001


5.4 Message Observation

Section 6.6 of [1] discusses the dangers (and benefits) of syslog
messages being visible at intermediate points along the transmission
path between device and collector. To prevent messages from being
viewed by an attacker, configure syslog peers to require the use of a
transport security profile for the BEEP session. (However, other
traffic characteristics, e.g., volume and timing of transmissions,
remain observable.)

If provisioned to secure messages against unauthorized observation,
implementations SHOULD use the TLS profile [3] to provision this
service. The cipher algorithm used SHOULD be
TLS_RSA_WITH_3DES_EDE_CBC_SHA.

5.5 Summary of Recommended Practices

For the indicated protections, implementations SHOULD be configured
to use the indicated mechanisms:

Desired Protection SHOULD tune using
------------------ -----------------
Authentication
+ Replay
+ Integrity
+ Observation

BEEP peer identities used for authentication SHOULD correspond to the
FQDN of the initiating peer. That is, a relay running on
relay.example.com should use a "user ID" of "relay.example.com"
within the SASL authentication profiles, as well as in the FQDN of
the "iam" element.



















New & Rose Standards Track [Page 26]

RFC 3195 Reliable Delivery for syslog November 2001


6. Initial Registrations

6.1 Registration: The RAW Profile

Profile Identification:

Messages exchanged during Channel Creation: None

Messages starting one-to-one exchanges: Anything

Messages in positive replies: None

Messages in negative replies: None

Messages in one-to-many exchanges: Anything

Message Syntax: See Section 3.3

Message Semantics: See Section 3.4

Contact Information: See the "Authors' Addresses" section of this
memo

6.2 Registration: The COOKED Profile

Profile Identification:


Messages exchanged during Channel Creation: iam

Messages starting one-to-one exchanges: iam, entry, path

Messages in positive replies: ok

Messages in negative replies: error

Messages in one-to-many exchanges: None

Message Syntax: See Section 4.3

Message Semantics: See Section 4.4

Contact Information: See the "Authors' Addresses" section of this
memo







New & Rose Standards Track [Page 27]

RFC 3195 Reliable Delivery for syslog November 2001


7. The syslog DTD

The following is the DTD defining the valid elements for the syslog
over BEEP mapping.









"">
%BEEP;










New & Rose Standards Track [Page 28]

RFC 3195 Reliable Delivery for syslog November 2001










New & Rose Standards Track [Page 29]

RFC 3195 Reliable Delivery for syslog November 2001













fqdn %FQDN; #REQUIRED
ip %IP; #REQUIRED
type (device|relay|collector) #REQUIRED>




xml:lang %LANG; "i-default"
facility %FACILITY; #REQUIRED
severity %SEVERITY; #REQUIRED
timestamp %TIMESTAMP; #IMPLIED
tag %ATEXT; #IMPLIED
deviceFQDN %FQDN; #IMPLIED
deviceIP %IP; #IMPLIED
pathID %IDINT; #IMPLIED>















New & Rose Standards Track [Page 30]

RFC 3195 Reliable Delivery for syslog November 2001





pathID %IDINT; #REQUIRED
fromFQDN %FQDN; #IMPLIED
fromIP %IP; #REQUIRED
toFQDN %FQDN; #IMPLIED
toIP %IP; #REQUIRED
linkprops %ATEXT; #REQUIRED>






































New & Rose Standards Track [Page 31]

RFC 3195 Reliable Delivery for syslog November 2001


8. Reply Codes

The following error codes are used in the protocol:

code meaning
==== =======
200 success

421 service not available

451 requested action aborted
(e.g., local error in processing)

454 temporary authentication failure

500 general syntax error
(e.g., poorly-formed XML)

501 syntax error in parameters
(e.g., non-valid XML)

504 parameter not implemented

530 authentication required

534 authentication mechanism insufficient
(e.g., too weak, sequence exhausted, etc.)

535 authentication failure

537 action not authorized for user

538 authentication mechanism requires encryption

550 requested action not taken
(e.g., no requested profiles are acceptable)

553 parameter invalid

554 transaction failed
(e.g., policy violation)










New & Rose Standards Track [Page 32]

RFC 3195 Reliable Delivery for syslog November 2001


9. IANA Considerations

9.1 Registration: BEEP Profiles

The IANA registers the profiles specified in Section 6, and selects
IANA-specific URIs "" and
"".

9.2 Registration: The System (Well-Known) TCP port number for syslog-
conn

A single well-known port (601) is allocated to syslog-conn. In-band
negotiation determines whether COOKED or RAW syslog-conn is in use.

Protocol Number: TCP

Message Formats, Types, Opcodes, and Sequences: See Section 3.3 and
Section 4.4.

Functions: See Section 3.4 and Section 4.4.

Use of Broadcast/Multicast: none

Proposed Name: Reliable syslog service

Short name: syslog-conn

Contact Information: See the "Authors' Addresses" section of this
memo






















New & Rose Standards Track [Page 33]

RFC 3195 Reliable Delivery for syslog November 2001


10. Security Considerations

Consult Section 6 of [1] for a discussion of security issues for the
syslog service. In addition, since the RAW and COOKED profiles are
defined using the BEEP framework, consult [3]'s Section 8 for a
discussion of BEEP-specific security issues.

BEEP is used to provide communication security but not object
integrity. In other words, the messages "on the wire" can be
protected, but a compromised device may undetectably generate
incorrect messages, and relays and collectors can modify, insert, or
delete messages undetectably. Other techniques must be used to
assure that such compromises are detectable.

11. Acknowledgements

The authors gratefully acknowledge the contributions of Christopher
Calabrese, Keith McCloghrie, Balazs Scheidler, and David Waitzman.

12. References

[1] Lonvick, C., "The BSD Syslog Protocol", RFC 3164, August 2001.

[2] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.

[3] Rose, M., "The Blocks Extensible Exchange Protocol Core", RFC
3080, March 2001.

[4] Rose, M., "Mapping the BEEP Core onto TCP", RFC 3081, March
2001.

[5] Gulbrandsen, A., Vixie, P. and L. Esibov, "A DNS RR for
specifying the location of services (DNS SRV)", RFC 2782,
February 2000.

[6] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
Extensions (MIME) Part Two: Media Types", RFC 2046, November
1996.

[7] Alvestrand, H., "Tags for the Identification of Languages", BCP
47, RFC 3066, January 2001.

[8] Leach, P. and C. Newman, "Using Digest Authentication as a SASL
Mechanism", RFC 2831, May 2000.






New & Rose Standards Track [Page 34]

RFC 3195 Reliable Delivery for syslog November 2001


Authors' Addresses

Darren New
5390 Caminito Exquisito
San Diego, CA 92130
US

Phone: +1 858 350 9733
EMail: dnew@san.rr.com


Marshall T. Rose
Dover Beach Consulting, Inc.
POB 255268
Sacramento, CA 95865-5268
US

Phone: +1 916 483 8878
EMail: mrose@dbc.mtview.ca.us
































New & Rose Standards Track [Page 35]

RFC 3195 Reliable Delivery for syslog November 2001


Full Copyright Statement

Copyright (C) The Internet Society (2001). All Rights Reserved.

This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph are
included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English.

The limited permissions granted above are perpetual and will not be
revoked by the Internet Society or its successors or assigns.

This document and the information contained herein is provided on an
"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Acknowledgement

Funding for the RFC Editor function is currently provided by the
Internet Society.



















New & Rose Standards Track [Page 36]

==========================================

linux的syslog问题


http://www.xfocus.net/vuls/199910/36.html
==========================================
openlog()和syslog()的用法

http://blog.chinaunix.net/u/22878/showart_201445.html
==========================================

c语言库函数syslog--将信息记录至系统日志文件

                                      

参见 《unix 环境高级编程》第13 章 精灵进程

在Linux下有个syslogd的Daemon程式,syslog是个系统管理员必看的档案。因此,如果您的程式有除错或安全讯息要显示,写到syslog是个很好的选择。

syslog有三个函数,使用上,一般您只需要用syslog(...)这个函数即可,一般使用状况下,openlog/closelog是可有可无的。

syslog()中的priority是facility及level的组合,其後参数的用法与printf无异。

范例:
#include
#include
#include
#include

void main(void)
{
if (fork()==0) {
for (;;) {
syslog(LOG_USER|LOG_INFO,"syslog programming test\n");
sleep(10);
}
}
}

检验:
tail -f /var/log/messages

Mar 22 01:42:51 foxman log: syslog programming test
Mar 22 01:43:31 foxman last message repeated 4 times
Mar 22 01:44:31 foxman last message repeated 6 times
Mar 22 01:45:31 foxman last message repeated 6 times
Mar 22 01:46:21 foxman last message repeated 5 times



--------------------------------------------------------------------------------


void openlog( char *ident, int option, int facility)
void syslog( int priority, char *format, ...)
void closelog( void )

option
用於openlog()的option参数可以是以下几个的组合:

LOG_CONS : 如果送到system logger时发生问题,直接写入系统console。
LOG_NDELAY : 立即开启连接(通常,连接是在第一次写入讯息时才打开的)。
LOG_PERROR : 将讯息也同时送到stderr
LOG_PID : 将PID含入所有讯息中

facility
facility参数用来指定何种程式在记录讯息,这可让设定档来设定何种讯息如何处理。

LOG_AUTH : 安全/授权讯息(别用这个,请改用LOG_AUTHPRIV)
LOG_AUTHPRIV : 安全/授权讯息
LOG_CRON : 时间守护神专用(cron及at)
LOG_DAEMON : 其它系统守护神
LOG_KERN : 核心讯息
LOG_LOCAL0到LOG_LOCAL7 : 保留
LOG_LPR : line printer次系统
LOG_MAIL : mail次系统
LOG_NEWS : USENET news次系统
LOG_SYSLOG : syslogd内部所产生的讯息
LOG_USER(default) : 一般使用者等级讯息
LOG_UUCP : UUCP次系统

level
决定讯息的重要性. 以下的等级重要性逐次递减:

LOG_EMERG : 系统无法使用
LOG_ALERT : 必须要立即采取反应行动
LOG_CRIT : 重要状况发生
LOG_ERR : 错误状况发生
LOG_WARNING : 警告状况发生
LOG_NOTICE : 一般状况,但也是重要状况
LOG_INFO : 资讯讯息
LOG_DEBUG : 除错讯

配置文件:
/etc/syslog-ng/syslog-ng.conf

添加语句为:
destination chentest_log { file("/var/log/chentest.log"); };
filter chentest { program("chentest"); };
filter n_chentest { not program("chentest"); };
log { source(src); filter(chentest); destination(chentest_log); };
log { source(src); filter(n_indexfiles); filter(n_chentest); filter(n_contentserver); filter(n_gongtest);destination(messages); };
第一句指明了写文件路径,
2句是一个过滤,表明运行程序chentest的日志写入/var/log/chentest.log里,当然最后要记得 定义非chentest的程序日志写入/var/log/messages里,否则LINUX仍然会写chentest的日志到message里面.
另外,注意:这样只定义了chentest这个应用程序,必须确定你想写入你自己LOG的应用程序名必须是chentest.

完整的配置文件


# $Header: /var/cvsroot/gentoo-x86/app-admin/syslog-ng/files/syslog-ng.conf.gentoo,v 1.5 2005/05/12 05:46:10 mr_bones_ Exp $
#
# Syslog-ng default configuration file for Gentoo Linux
# contributed by Michael Sterrett

options {
    chain_hostnames(off);
    sync(0);

    # The default action of syslog-ng 1.6.0 is to log a STATS line
    # to the file every 10 minutes.  That's pretty ugly after a while.
    # Change it to every 12 hours so you get a nice daily update of
    # how many messages syslog-ng missed (0).
    stats(43200);
};

source src { unix-stream("/dev/log"); internal(); pipe("/proc/kmsg"); };

destination messages { file("/var/log/messages"); };
destination creatidf_log { file("/var/log/caocreatidf.log"); };
destination daily_log { file("/var/log/caodaily.log"); };
# By default messages are logged to tty12...
destination console_all { file("/dev/tty12"); };

filter creatidf { program("creatidf"); };
filter daily { program("daily"); };
filter n_creatidf { not program("creatidf"); };
filter n_daily { not program("daily"); };
# ...if you intend to use /dev/console for programs like xconsole
# you can comment out the destination line above that references /dev/tty12
# and uncomment the line below.
#destination console_all { file("/dev/console"); };

log { source(src); destination(messages); };
log { source(src); filter(creatidf); destination(creatidf_log); };
log { source(src); filter(daily); destination(daily_log); };
log { source(src); filter(n_creatidf); filter(n_daily); destination(messages); };
log { source(src); destination(console_all); };




【作者: colding】【访问统计:298】【2006年06月19日 星期一 18:24】【 加入博采】【】

你可以使用这个链接引用该篇文章 http://publishblog.blogchina.com/blog/tb.b?diaryID=5263751


==========================================

==========================================

==========================================

==========================================

==========================================

==========================================

==========================================

==========================================

==========================================

==========================================

==========================================

==========================================

==========================================

==========================================

==========================================

==========================================

==========================================

==========================================

==========================================

==========================================

==========================================

==========================================

阅读(6887) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~